Virus Alert: Novarg / MiMail / MyDoom - Page 3
Page 3 of 9 FirstFirst 12345 ... LastLast
Results 21 to 30 of 83

Thread: Virus Alert: Novarg / MiMail / MyDoom

  1. #21
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    To answer who asked why it was on Windows: The whole point of this virus, it seems, is to DDoS the SCO site, undoubtedly because of their attacks on Torvalds of recent. Linux users, generally, are much too savvy to 1) download a file attachment they don't know the send of or 2) wait more than one minute to patch their system. But, Windows users a lot of the time leave their computers succeptible to attacks because of a lot of their ignorance, and are thus better targets in this market... basically, the writers think they're too dumb to understand what's going on.

  2. #22
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by 576869746568617
    Not quite, DjM. See my post above. The symantec writeup does indeed say that the virus ignores .edu addresses.
    I think that's what I said

    Symantec does mention that it will bypass .edu accounts
    Cheers:
    DjM

  3. #23
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    I stand corrected....It's early and my mailserver's ate up like swiss cheese with this blasted worm! I misread your post.

    My apologies
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  4. #24
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    Wow... this thing sounds serious.
    I didn't catch any worm for last 4 years because:
    1. I don't open attachments of any kind if I don't expect them
    2. If it is espected, and it is some kind of animated stuff, I duble check it before I start it
    3. My AV is checking for updates automaticaly, and install them at once!
    4. I check out antivirus sites oftem for fast spreading viruses
    5. I run Windows Update at least once per week


    And I don't still feel safe... Just remeber that damn Blaster thing...
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  5. #25
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    I do pretty much the same, but when the AV updates at one time, and the definitions come out after the update, you still aren't safe. Automation helps, but it's not a cure all.

    Oh yeah, all you guys with IDS, here's the IDS signature for the trojan portion of the worm. This one is specific to Symantec IS, Manhunt, and SCS (IDS Signature provided by Symantec)....I'm looking for one one for snort....If I can't find one, I'll write one myself (unless Q.o.D. beats me to it!) I will post it here.
    Symantec IDS Signature:

    *******************start file********************

    alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37

    *************EOF*********************

  6. #26
    Junior Member
    Join Date
    Jan 2004
    Posts
    11

    Question eSAFE and Novarg (MyDOOM, mimail.q)

    Hi,

    We got eSAFE installed and running fine, removing every attachment which contains a zip, exe, bat, and so on...

    But here is what we see when eSAFE removes a ZIP attachment containing a threat.

    ------------------------------------------------------

    *** eSafe detected a hostile content in this email and removed it. ***
    /readme.zip/readme.txt .pif Msg #705 - The file type pif is on the Restricted List.
    T-d~Icac;WL~r>gL \Ri^zq<0{ gDg{e19
    &C).NZN晜)/JsSWym"
    KirEoHdpE~YK^{rZD8׊F-"s}t7jVh'k5E:mbo*$}d}Ujθ~?-O|2wf]ff^&_s9BƎ-׈6i]H˪엫sg
    PclAM%q 8U!R͊4Dw_M5ˇ2%0.!mvBzɕv)H_4k igM>2i7n1`
    5mZ89oлy6B\r MXY#}]8Я&Y-QMo P
    l͑jPPwJC%X삯#Җ }G27S|$ cC~-AK~YӸPϔgmQxL o|UT,]~ʒ[-3 VyA]RM/r^ѽn>8Z;;Ѣ*MI}vok
    ~0 |`~)
    a:곫Z3~֔BUz_&$
    ,F
    !(ތ֎87j̾C ktm{Ƿz?S/铷<̴y4mL[D?or1T|QH& CgYGܖOEL!߳,|(Vӈ&ˎՈ ];s#}`˱Z&Ĕ{$1,. w}4ZFY q# q~^2 nA'z18ZB6wb& a;Pyȇm~0VM
    ~,)mFsʉ/m <#ikwlDSBE_CyX~oCB}S#q; < SV>Y~yTpF ?c141!8RFE Z)h)~7ZWjsBscwQ:|bkSە
    ˥tyhYÿV~c
    oT^*f^y> T
    B;h]M.fxIP&.'{x?%g<Y-f0:MShp ģ#;-N TQ ;i-q<)\PF ,W̞,n#>c Q~yW-n/ZqnH
    !|^CN)WsG,5K'tT샕Ni`DSK#]
    5 80Vn-3/[sb'A?Z'}yC_ hk KMPOp
    .;鉚ٺ,_ʟ[pZ ]dL 8nl-{T6~sY> )(HPDYMKEJ5 CB|#%jWkI1l*CY~R֨^OC:%**~}Ntr~G>j>GAͅ>Vk~(_9DzS>5r0* xp`39i /2-Yܯt 9At1 u 00]]k
    nZ Mޢ^e OtDr5 e(YdG( HfY|9_y"Qv|
    kpdd
    hfM$Vڸ!}jgPlw(񎶓dK
    nT/w cE"#^ӫyyzRڵRD۾!Q,k7_.9fu{~WxdG..2 PD~E&{br ˫X~"8PG{< I Б!`\Q |Pȵ0G*[P~j NK1!m-:1՛ZZm"FBS|QԤ̱ Q!`
    YfQ1
    >D)S5xƆ{lUktַTiR,]i^7E_T}|SE/0٪lM[Hw-E $sK<{،L!FCId{
    5 }tg\$תTOW[.L9qgNq_a6j~m)Vkpd.N 2[ o;T
    Uq[-^‡T_K/̇ʑq۵T{>aܷK}щfӥ㓶a>-&V~صB9DO10spdzӾ)ifg-
    ~ -vA{)w9)٤3
    A^ 5pc`Pn
    XST_AO:i7gG&* ixDŽ'; Cό, -Gn-
    WaɊ6B5FUj
    %[̚ZYω;t7
    !.XBm9&D׾Tg|&/
    ,`Vgd:z|vOB 0 d |263~NtBaZ&6ܣgh-;vkuo
    y,P\ԜFcc{,r◽ pܓVLzFuNiwR
    qtBaLk|Xk0#~'ewě
    lo

    ------------------------------------------------------------------

    You see in the top of the e-mail that everything is fine, it says it removed the hostile content but why do we get all that stuff? (with other files, not zips, we don't have this)


    Any ideas!?

    Thanks,

    Roach4

  7. #27
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    A couple of additional notes:

    1. If you are running snort with the Swen.A rule defined it picks up many of the instances of this virus.

    2. One machine got infected inside my network by the look of it at a sister org who I have less control over....<sigh>. It probably got through before the definitions were available, my mailserver updates hourly. It was trying to send outbound email which is blocked at the firewall. An ethereal dump showed that it was resolving the domain of the recipients prior to attempting to send which was noted by Symantec.

    3. An Nmap of the machine indicated VNC running. The machine is shut down awaiting their tech staff.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #28
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Tiger Shark

    3. An Nmap of the machine indicated VNC running.
    Tiger, are you saying that the virus dropped VNC on to the system?

    Cheers:
    DjM

  9. #29
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    NMap claimed that 2 ports used by VNC were open on the target machine...... Unfortunately, being in a hurry I didn't save the scan results and I forget the ports. Added to that I had the machine shut down so I can't rerun the scan.

    I tried to connect using Slarty's VNC thingy and it told me VNC was already running so the ports were definitely open and active. I didn't go any further but simply called the person who knows who's machine that is and had them close it down to stopp the "chatter" at the firewall so I could see if anything else got in.

    Symantec and the rest say it drops a trojan on any number of ports so I guess VNC's ports coincide with the trojan..... I thought that would be of use to some since they may use a VNC client on their systems so it may not be immediately apparent that this may not be what they think it is.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #30
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Re: eSAFE and Novarg (MyDOOM, mimail.q)

    Originally posted here by Roach4

    You see in the top of the e-mail that everything is fine, it says it removed the hostile content but why do we get all that stuff? (with other files, not zips, we don't have this)

    Any ideas!?

    Thanks,

    Roach4
    I suspect this is the contents of the zip file before the virus is stripped away.

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •