Virus Alert: Novarg / MiMail / MyDoom

***Tedob1*** · January 27th, 2004, 06:28 PM

TS

+=+=+=+=+=+=+=+=+=
NMap claimed that 2 ports used by VNC were open on the target machine...... Unfortunately, being in a hurry I didn't save the scan results and I forget the ports. Added to that I had the machine shut down so I can't rerun the scan.
+=+=+=+=+=+=+=+=+=

vnc runs on 5800 and 5900 and can be accessed using a web browser on port 5800. (http://<machinename>:5800) if its password protected you can shut it down with pskill from systernals (pskill <\\machinename) winvnc) then use gencontrol to give'em hell.

BTW it wasn't dropped by a virus if it were it would only be running on 5900 to reduce the number of components it needed

**576869746568617** · January 27th, 2004, 06:31 PM

Well, VNC usually runs on ports 5500 (viewer) and 5800-5999 (server dynamic)....the worm uses 3127-3198.

Of course it could be VNC set to run on those ports rather than the default, but the registry entries between the two don't match....

That however doesn't rule out VNC as the trojan component, as the source could have been modified fairly easily and recompiled.

EDIT: However, nMap probably isn't looking for VNC on ports 3127-3198....it's looking at the defaults, which means VNC got there by another route, not this virus.

Just thinking out loud

EDIT: Damn your fast,Ted!

***Cybr1d*** · January 27th, 2004, 06:33 PM

LOL just got an email regarding this Virus from my OIT department:

Date: January 27, 2004 Delete

Subject: **OIT Virus Alert**

As of mid day on Monday a new computer virus affecting personal
computers running the Microsoft operating system(s), Windows 2000, XP,
98, ME, 2003, NT, and 95, dubbed, W32.Novarg.A@mm began to spread
rapidly. This is a mass-mailing worm that arrives with an attachment
in.zip, .exe, .cmd, .pif, .bat, or .scr format. Once opened it begins
to spread to others in your address book and creates a back door for
intruders to enter on your personal computer. In addition it begins to
initiate a denial of service attack on 2/1/01. Please take a moment to
ensure that your virus definitions are up to date. To do this, double
click on the gold shield located in the lower right hand corner of your
screen, look at the date of the virus definitions file, anything older
than 1/21/04 requires an update. To update your PC click the live
update button and accept the defaults. You may also help this cause by
being diligent in your efforts and not opening attachments or emails
unsolicited or suspicious. For more information on this particular
virus, please visit the following site: For more information please
visit the following link:
http://securityresponse.symantec.com...varg.a@mm.html
If you have any questions or concerns, please contact the OIT helpdesk
immediately at extension 4500. Thank you, OIT.

Glad to see that they're on top of things.

**Roach4** · January 27th, 2004, 06:46 PM

Originally posted here by DjM

I suspect this is the contents of the zip file before the virus is stripped away.

Cheers:

Well that is weird because in most cases I can see the zip files with the infected file removed. Normally we can open the zip and see that nothing is inside and its size is 0k.

Any other idea where that stuff would come from ?

Thanks,

Roach4

**576869746568617** · January 27th, 2004, 06:51 PM

Any of you guys looked at the infection map for this thing? Looks like Russia and Austrailia are being hardest hit right now.

Here's a link

Be careful all you guys from those areas.

***DjM*** · January 27th, 2004, 06:55 PM

Originally posted here by 576869746568617
Looks like Russia and Austrailia are being hardest hit right now.

MessageLabs first contact was from Russia.

First stopped from: Russian Federation

MessageLabs

By the way, a removal tool has just been posted by Symantec.

TOOL

**576869746568617** · January 27th, 2004, 07:07 PM

S3cur|ty4nq31 just posted a snort rule for this virus in this thread.

http://www.antionline.com/showthread...hreadid=253971

**Chief1** · January 27th, 2004, 08:30 PM

FYI the programers for Symantec have finally arrived to work and published a removal tool.

http://securityresponse.symantec.com...oval.tool.html

Sorry about that.

Thanks DjM I missed that post.

***DjM*** · January 27th, 2004, 08:33 PM

Originally posted here by Chief1
FYI the programers for Symantec have finally arrived to work and published a removal tool.

http://securityresponse.symantec.com...oval.tool.html

Already posted above Chief

**thadbme** · January 27th, 2004, 11:15 PM

576869746568617,

In regards to your earlier post about the domains that it would "avoid". I happen to be in one of these domains, however I'm not seeing nearly the amount of traffic that I would think I would be getting for category 4 virus. Is it possible that this bug has a "bug" that allows some of them to slip through even though its one of the avoided domains?

Ideas anyone? How much traffic is everyone seeing from this thing?

Thread: Virus Alert: Novarg / MiMail / MyDoom

Thread Tools

Display

Re: Re: eSAFE and Novarg (MyDOOM, mimail.q)

Posting Permissions