Virus Alert: Novarg / MiMail / MyDoom

[jehnx]

To answer who asked why it was on Windows: The whole point of this virus, it seems, is to DDoS the SCO site, undoubtedly because of their attacks on Torvalds of recent. Linux users, generally, are much too savvy to 1) download a file attachment they don't know the send of or 2) wait more than one minute to patch their system. But, Windows users a lot of the time leave their computers succeptible to attacks because of a lot of their ignorance, and are thus better targets in this market... basically, the writers think they're too dumb to understand what's going on.

[DjM]

Originally posted here by 576869746568617
Not quite, DjM. See my post above. The symantec writeup does indeed say that the virus ignores .edu addresses.

I think that's what I said

Symantec does mention that it will bypass .edu accounts

Cheers:

[576869746568617]

I stand corrected....It's early and my mailserver's ate up like swiss cheese with this blasted worm! I misread your post.

My apologies

[ikalo]

Wow... this thing sounds serious.
I didn't catch any worm for last 4 years because:

1. I don't open attachments of any kind if I don't expect them
2. If it is espected, and it is some kind of animated stuff, I duble check it before I start it
3. My AV is checking for updates automaticaly, and install them at once!
4. I check out antivirus sites oftem for fast spreading viruses
5. I run Windows Update at least once per week

And I don't still feel safe... Just remeber that damn Blaster thing...

[576869746568617]

I do pretty much the same, but when the AV updates at one time, and the definitions come out after the update, you still aren't safe. Automation helps, but it's not a cure all.

Oh yeah, all you guys with IDS, here's the IDS signature for the trojan portion of the worm. This one is specific to Symantec IS, Manhunt, and SCS (IDS Signature provided by Symantec)....I'm looking for one one for snort....If I can't find one, I'll write one myself (unless Q.o.D. beats me to it!) I will post it here.
Symantec IDS Signature:

*******************start file********************

alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37

*************EOF*********************

[Roach4]

Hi,

We got eSAFE installed and running fine, removing every attachment which contains a zip, exe, bat, and so on...

But here is what we see when eSAFE removes a ZIP attachment containing a threat.

------------------------------------------------------

*** eSafe detected a hostile content in this email and removed it. ***
/readme.zip/readme.txt .pif Msg #705 - The file type pif is on the Restricted List.
T-ˆ÷ŽÅ*Å’Ã¥d~õIcaøc;WLóû~rÃ�>gLÃ’ ë¢\Røi^z…q<è0Ñ{ˆ gDâ€�g{ªe19Ã�
&þèCÖ)Ã*¿.NüZµÃ�N¿æ™œ«¯)ª/J×ÇèsSWÙyûm"µó¡ôö§«
KïižrE¹úoÚHdºp֤EÞ~¯ÅYÅ*ÚÃ�K^{r´ZùD¼8×Å*F-"ýÛs}Ã�t²™ö7jVéh'¶½„k5EÛØ:ãm‘bÕôo®ê*É$–×Ø}©d}UËjθ~’ãÀ÷þ?²-îO|²2wf²Žâ€�ç]ff^&_s9BÆŽŽ-׈6i]…H˪엫sg
æPclÛA•Mð%q 8U!RÃ�Å*á’4¤DÃ*üwï_„æ‚M…Ó5ˇ2%„Åë0¥èøïÛ.«!mvB‘õüz×ïÉ•çÇé¯ÄvîÃ�)Ã�H_Ã�4Å’kû‚¼ igŸÕMù>¾å2i7ñn1`
5ïmüúZ8óŒ9o�»y6B\ìr ÈÇMXY#·Žò}â]8Ãã�¯&ßÆYÉ-QMo PÇ Õ
ÅülÙÃ�‘jáPPöÃ*þwñJ½C%X¿»ì‚¯#Ò– ñ}GØë¨27Sòß|$ ücC~-AÊK~YÓ¸ÔPÃ�â€�gmÑQxLâ€* o‡Ÿ|UTÃ�,]~‰šÊ’²[çÖ-3•¿±Ã� Ã�VÈüÎyA³ð]ÞRM/Ã*rÛ^ùѽ„n>®8–‚¿Zâ€�;;Ñ¢*MI¡}vÃŒok“
~0èêç Õ |`ó~©)
ùa:곫Z3ó~Öâ€�Â¥BUÈzÄ×_&¶$Å*
Ã*,F¤ç
!¿(õÀ®ÛÞŒƒÖŽ87‰jÃ�̾C ký©tm{Ç·zõ?©SÅ¡/é“·<Ã�Ì´žyã4ÃœmðLÃ*óƒÜ[D?or‹1TÉ|QH¹·&¸ CgYGÜ–¼´OE¢L÷!ß³–,©|(VÓˆ&ËŽÃ�ôÕˆ Ã�]ðë;sú#}Ë`˱Z&§Äâ€�¸{$Å“1,û. »w}4‹æŸÇéËZFöÜY© ²qÚÄ# öˆqé®~^ÃŒ2 ØÀ¢‡¢«nùA'ëÚzÊ1Ä8ZÆBü6wb&… ¬a—;Påƒyȇmø~šÓ0¼¾ñö‘éV¨MõÙ
~,Ä)ümFsʉ/mïó¿ <#‘„iÃ*ùßÀýkwÑlþD±S¬ÀBêEï¼_C·ÌyX¶~þðö«ôoº“CÙÃ*B¯–×}S‹æ¬#¢‘q£òÃ�;‰’ òÉ< ÈÆSV¬>°ßY~¬yTáÈp÷F ÷?âÚc141·¢!8µðRFE®è ‰Z)ÞÃ�h¸æ)ë§~Ž—7ZW‘šêçj„ßÃ�ËsBÇÃ�óê¶s¨•c¸òwÅ*¿ö°Q:²°|bïk‘¶ÙSÊÀÛ•
°—ýË¥t´yhYÿVè~c½
òožT^ô*Å“fØ^•…yÃ*‚>®»ê ˬT’
•B;hË]M£.©Ã�fßx½IP‚Þ&·Ã�Ÿš.þ±¹'Ã�{×Ã*xÀ?%ég<Y-“fû0:MÇShùý„åâîp êÄ£#;úä-‰N¬ ÜÆTúƒîQæÅúø ;i…-Å*qÃ�Ê<Ö)û•œ©¾¥ç\PÑF¯³Ùâ „,WÌžÕè,n»#>Ôc Q~yë¡W-°±n´/“ZqnH
!|õ^ó‘õˆùCNóÕÃ�)—W³sì®ù…G,5K„'tTò샕Ã*NiØ`D¨SúæKË#]
Ã*5 8Ã’0’ÂVn’–-ø3Ã�/[ÎØsb‡ª'A¤º‹ìï?Zùð'}Ã*¤yC§_ÈÒÃ�²óâ“ ÌØåù‰hñkø©‘ç µKMPOpÚáù
.·;鉚®–Ùº,_êÊŸùŽ®[½ù“×Ã*pùùòZ ¶]d¢ßL 8nl-{›T6¼~sY„> ãã)(Ã�HPÔÃ�ØDYMKã‚EJç5 –è©Cé‹õ…‰B¢¢â€�|#ñ%jWkI1ál¤*CY~ÄäRÛîæÖ¨¾º¹^OâC¸Èëø:ß%*õ*~}Nt¸År~ùG>´„j¶Ò>ÈìG§AÄÃ�…>VÞkýšâêË~Ãœ(_¿ÓØ9½ÚÃ�ÞDzS>5r0¹*ä Àìxôóùp¬`39i ±/žú£Œ2Ô-ðY¨Úܯãtº Ù9ÜðÃ�At1ý¸ u‡ ›0Ö0Ú]]ðk¯
nùZ´ åä£MÞ¢ã‚^eÃ* ïOtù•Dr¿ô¼Úý¥õ5 e©(YÖdGÚ(ó HfôúÚY…|9õÂ_‚èûy‚å"ã²Qvç|ý¤
kpÇãþ—dd
îhª‡²‘«´f¨¯M$¬Vý�¤Ú¸º’…!}jëgPÖlw(ñŽ¶“„åÌ÷dK
nÚÃ*ñT/¹w ôÓcE"Éï¥å#â„¢^ÌæµÓ«¤yy‚záRÃ*úÚµ¯šRDÛ¾!©Qâ€�áÛ,káä¨7_¶.‡9fÃ�Ã�uÕ{ÇÇ~çWçÛÜx°‰dåÊG..2 ‘P·ŒD~áEâ„¢&Å*{“â€�Ã*bør˼ Ë«X~Å*×ç"¨ö¿8ÚýŒö‘·P¨âG{< Iâ€� ¸ŸŸÃ�‘!Ó`Ã*\õQ þõ|èPȵÑ÷0³G*[P±~¿jÙÌÉ NK¯Ôã1ì!m’-:1Õ›ZZmë"FŸBS|äÀQԤ̱ Q½!ò²`
ïY´çfQ1
•>£ë´DêÅ)S5xÆâ€*{lUk‡tèýÖ·‘ûTiR,Ã’]Ùi^Þ7õE_ßT}Ú|S´E/0ÙªŸ±lçôMž[æÛÞHw¼º›£-E ‘$ëÈsŸùK¶<{ñØŒLý!‰æÙFC¡IÞdÜò{
5 °}t®g\ø±$תTÅ*¢ÄOãWž»´Ç[.Â¥Lã™9qÆ’g–»N÷q›¡…üú¢_‡a¨½6Âj~m)Ã�Vü™ók«pdç.œ’N ©ž¶›2[ ·o;TÆ’
°Uq®Ú[-^‡Tþ‡óó_K/§Ì‡Ê‘™‹qåÛµëò«ôT{Ì>ÖaÜ·K}щ¸fӥ㓶¸Ûç’a>ª-&ÓV~²ØµB¥9�DO10säpdz‚Ó¾ç)å�i•Øfµg-
~ -v“óAš{)w9�)äóÙ¤3œî
¿A©^è þ5±¨Žp¿©c`¢Pn°
X¾²ST_±ˆA¨O:¬²i7gðG‘’&*ï ·üi¡xÇ„'; C�Œ,Ü -ÌGÈün-Ñ�
÷ƒWaïêÉÅ*6›BÚãý„5ŸšFU³j Æ
%[ÌšZÑYÄ�‰;©Òtû¥Ê7‡è
«!.XB¾måÄ9š&D×¾Tg|&/
,è„`óùVgdÒ:zŸÅ|vÂã«ëOûÊB 0¹ ÊÓdž |¸»2ú6£3Ää~�NtüçB÷aZû…&žñ¤6Ü£g£Óhù-;v¾kuo
ÕÔÃ�y·…,P\ÔœFñcc{®Ã�,Òþ’§ÒÃ�r¿â—½î §©pÜ“Vü—â€*LÅ*zªñÚð±FuNiŽw»Rßù´
qtB�×aL™½÷ùk|©‘‹£¥Xk¤0#…Ž�~'ewÊÒÄ›
l—ño

------------------------------------------------------------------

You see in the top of the e-mail that everything is fine, it says it removed the hostile content but why do we get all that stuff? (with other files, not zips, we don't have this)


Any ideas!?

Thanks,

Roach4

[Tiger Shark]

A couple of additional notes:

1. If you are running snort with the Swen.A rule defined it picks up many of the instances of this virus.

2. One machine got infected inside my network by the look of it at a sister org who I have less control over....<sigh>. It probably got through before the definitions were available, my mailserver updates hourly. It was trying to send outbound email which is blocked at the firewall. An ethereal dump showed that it was resolving the domain of the recipients prior to attempting to send which was noted by Symantec.

3. An Nmap of the machine indicated VNC running. The machine is shut down awaiting their tech staff.

[DjM]

Originally posted here by Tiger Shark

3. An Nmap of the machine indicated VNC running.

Tiger, are you saying that the virus dropped VNC on to the system?

Cheers:

[Tiger Shark]

NMap claimed that 2 ports used by VNC were open on the target machine...... Unfortunately, being in a hurry I didn't save the scan results and I forget the ports. Added to that I had the machine shut down so I can't rerun the scan.

I tried to connect using Slarty's VNC thingy and it told me VNC was already running so the ports were definitely open and active. I didn't go any further but simply called the person who knows who's machine that is and had them close it down to stopp the "chatter" at the firewall so I could see if anything else got in.

Symantec and the rest say it drops a trojan on any number of ports so I guess VNC's ports coincide with the trojan..... I thought that would be of use to some since they may use a VNC client on their systems so it may not be immediately apparent that this may not be what they think it is.

[DjM]

Originally posted here by Roach4

You see in the top of the e-mail that everything is fine, it says it removed the hostile content but why do we get all that stuff? (with other files, not zips, we don't have this)

Any ideas!?

Thanks,

Roach4

I suspect this is the contents of the zip file before the virus is stripped away.

Cheers: