Since midnight last night to right now, I have quarantined or block just under 2000 copies, not all that many when I compare it to Klez when it first started.Quote:
Cheers:
Printable View
Since midnight last night to right now, I have quarantined or block just under 2000 copies, not all that many when I compare it to Klez when it first started.Quote:
Cheers:
It's a virus, so it's in all likelyhood extremely buggy. Therefore, I'd say yes to your question.
As for how much traffic, well...I have an OC3 line and out of 44mbps I have around 6mbps available, most of the used bandwidth is VPN and e-commerce traffic (28.7mbps), but the rest is because the mailserver is being hammered. You can draw your own conclusions from that.
That makes me not feel so bad about my, estimated 50 or so copies of it. Wow, you my friend are getting hammered by this thing
Anyways good info and thanks for the response. When Sobig F came out I received around 3000 hits a day from it, pailing in comparison to this thing, atleast for now, and I'm hoping it will stay that way.
SCO has now issued a bounty for MyDoom creator. Sounds like a good deal, virus writer goes to jail, some one gets $250K and SCO will be one setup closer to bankruptcy.
WAS Sent To me In my Email So thought i would post it:::::
The W32.Novarg.A@mm virus is a mass-mailing worm that is very active on the Internet. While we are currently taking measures to protect our Email users, you can protect yourself by identifying and deleting emails with Novarg characteristics. Please do not report these emails as Spam.
Note: Your computer should not be infected by this virus unless you open a corrupted attachment.
What to look for:
Emails infected with the Novarg virus have, thus far, been approximately 30-35KB in size and have exhibited the following characteristics:
Subject line:
Hello
Hi
Test
Status
From line:
Contains spoofed addresses - which means that the name that appears in the "From" field is probably not the real sender.
Body:
Tends to be unreadable; gibberish. You may also see the following message: "The message contains Unicode characters and has been sent as a binary attachment".
Attachment file extensions:
.zip (most common)
.bat
.cmd
.exe
.pif
.scr
Known attachment file names:
body (.zip, .bat, etc.)
readme
file
message
text
jasrjx
dajtl
document
What you can do:
Delete messages with the above characteristics and be sure to delete them from your Trash Folder. Knowing some of the above characteristics about this virus, you may wish to set up custom filters and route most of these virus emails directly to your Trash or Bulk Folder. This way, you can keep your inbox free of most of these messages. Just be sure to check your Trash or Bulk Folder and empty them on a regular basis in order to free up space in your email account.
I got one I got one I got one
Unfortunately my NAV deleted the attachment before I could run it... damn one more infection that I didn't catch ;)
now for serious, my company got e-mail stating that one infected e-mail was sent from us (it is a small company so we use just one e-mail). I am scaning all computers in our LAN but there is no any trace of virus. Does anyone know if this virus is spoofing From: field in e-mail header? I have doublecheck it, none of my bosses didn't open our e-mail from home.
Yes, it is spoofing the from. A large number of my users have received "your email has been rejected because of the MyDoom.A virus" when I know for a fact that they don't have it.
Not to doubt you, TigerShark, but how do you know for a fact? (runnung linux or something)
Just curious. I knew my users didn't have it, but my mail server....it was ate up!
Guess that's what I get for using a win server for mail......I use UNIX for everything else so I figured I'd use one Windows server, that won't hurt so bad...I can use it for mail. Didn't think about the fact that most viri are for Windows!
57: It's really rather easy..... ;)
If you are a virus carrying your own SMTP engine you might get into my network prior to a protective definition being downloaded but I'm afraid you aren't getting back out again.
All incoming mail to the several domains I host is funnelled through a Windows 2000 server in my DMZ. This server runs GFI Mail Essentials and MailSecurity. MailEssentials removes the Spam and MailSecurity scans for viruses and updates the definitions hourly. Acceptable mail is then passed inbound to the trusted network to Microsoft Exchange Servers that run NAV for Exchange across them just for a giggle..... ;) So you have a maximum of 1 hour's window to get in after a virus def has been published.
Then comes the easy part.... Sucker one of my users into clocking on you.... Bingo - You are in business..... Not.....
You see, when you start sending out all your emails you are going to get a shock..... You can't make a connection to any mailserver in the world..... Darned shame really..... You got so far.... But my firewall won't let any machine within my network send out SMTP/IMAP except the Mail Servers themselves. What's more, when a machine does try to send outbound email the Firewall sticks a popup on my screen informing me of the attempt.....
So, you see, I know for a fact that users within my network _cannot_ send out email willy-nilly. So when they receive a message saying their mail was blocked because of an infection I can rest easy - and if I want to get paranoid I can check the firewall logs for "Deny Out SMTP"......
..... And it's all done with Windows servers and a firewall...... Amazing huh? ;)
Just to add to what Tiger said, this quote is from the Symantec site.Quote:
Originally posted here by 576869746568617
Not to doubt you, TigerShark, but how do you know for a fact?
Now while it does say "may be spoofed", history teaches us that the new crop of viruses making the rounds use this technique. As well, the messages I am seeing also lead me to the same conclusion, specifically, e-mails coming from accounts I know have been deleted for more than a year.Quote:
The email will have the following characteristics:
From: May be a spoofed from address
Cheers:
We've been getting some of those too, and what makes ME say they're spoofed is that most of those I received claimed to be "originaly" from [email protected]. That's just not possible however since the webmaster address is an alias (!) which is forwarded to the admins (partner and I) and we don't use that address when sending out (or even replying).Quote:
Originally posted here by Tiger Shark
Yes, it is spoofing the from. A large number of my users have received "your email has been rejected because of the MyDoom.A virus" when I know for a fact that they don't have it.
Ammo
Well, this topic brings up another question for myself and I'm sure a few other newbies. Mydoom attacks a particular port -- So how would you go about port scanning to find out what the status of that port is? I've never done port scanning, so I don't even know where to start, and that is a valuable tool that I really need to learn about. So what better time than this?
Looks like the first variant is on it's way. I just received this from Symantec.
DING....round two. :pQuote:
Name: W32.Mydoom.B@mm
Category: 2
Virus Definitions: January 28, 2004 (US Pacific Time)
Type: Worm
Aliases: Mydoom.B [F-Secure], W32/Mydoom.b@MM [McAfee], WORM_MYDOOM.B
[Trend]
Symantec Security Response has received reports of this worm and will update
this document when more information is available.
Cheers:
Here's the Kaspersky info on the b-variant.Quote:
eWeek
The variant, which Kaspersky has labelled MyDoom.b, has a slightly larger payload compared with MyDoom.a and targets Microsoft Corp. for a denial-of-service attack to be launched starting on Feb. 1, instead of The SCO Group Inc. The worm features minor modifications to the text of the e-mail that carries it, but is otherwise identical to the original.
Just a Databas
http://drweb.ru/news/
The Department of Homeland Security launched the National Cyber Alert System today, to provide information on internet threats.
More info/sign-up: http://www.uscert.gov/.
Looks like the virus is avoiding .mil and .edu domains. So far I'v only seen maybe 25 hits from our mail relays here on base.
If you were previously subscribed to the CERT Advisory mailing list, you don't have to re-subscribe.Quote:
Originally posted here by Negative
The Department of Homeland Security launched the National Cyber Alert System today, to provide information on internet threats.
More info/sign-up: http://www.uscert.gov/.
Cheers:Quote:
If you are a subscriber to this list, you will automatically receive the
technical version of US-CERT alerts (the Technical Cyber Security Alert)
through this list. No action is necessary on your part. If you are not a
subscriber to the CERT Advisory mailing list and wish to receive these
alerts, you must subscribe to the new US-CERT mailing list.
Just came across this....
http://www.computerworld.com/securit...,89494,00.html
Quote
JANUARY 28, 2004 ( COMPUTERWORLD ) - A new variant of the Mydoom virus has just emerged, several security companies are reporting this afternoon.
Mydoom.b variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc., according to London-based security vendor Mi2g Ltd.
Symantec has not released updates as of yet
GG
norton dosen't mention 'B'. has the file been altered to not be detected by the 'A' type definition or will the current defs detect it but just label it wrong?
Bitdefender claims that the payload has changed slightly to attack M$ but it doesn't mention a signature change specifically.
[edit]
Oh, and for those of you interested I found out what dropped the copy of VNC on the machine I got infected early in the life of MyDoom.
The dropper is a chap called Craig..... He is the contract admin for the sister agency's computers and he placed VNC on the machines at that remote location so he can manage them...... Sure got my little ticker racing..... One of the benefits of not having complete control of your network - You never know what the other admins are doing or find acceptable...... :(
[/edit]
I am not quite sure where symantic got the idea that the virus wasn't attacking .edu addresses, but it is. I work in a community college and we have received so many copies, that we brought the server down. Now we are running Guinevere, and it is working well.
Symantec just posted some info on it Tebob1, check it out here.Quote:
Originally posted here by Tedob1
norton dosen't mention 'B'. has the file been altered to not be detected by the 'A' type definition or will the current defs detect it but just label it wrong?
They say the defs of January 28, 2004 will detect it, but they don't seem to mention how it will be detected. :confused:
Cheers:
These are the newest snort rules made, I think Ive eliminated any chance of false positives. I had started posting in another thread but I thnk me an 57 were the only ones reading it. I think these rules will actually block the new variant becasue there not based of subject of message but the actual virus which this portion is probably being reused, but I have not got the new variation yet so its not yet tested.
alert tcp any any -> any any (msg:"Virus - Novarg"; content:"|26 6a 6f 65 3f 6e 65 6f 2f|"; sid:31337; classtype:misc-activity; rev:1;reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
alert tcp any any -> any 25 (msg:"Virus - Novarg(1)"; content:"UPX";content:"JmpvZT9uZW8v";content:"b2xk"; sid:31338; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
alert tcp any any -> any 25 (msg:"Virus - Novarg(2)";content:"UPX"; content:"am9lP25l"; content:"bGQt"; sid:31339; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
alert tcp any any -> any 25 (msg:"Virus - Novarg(3)";content:"UPX"; content:"b2U/bmVv"; content:"ZC1Q"; sid:31340; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
Angel:
Er... You say "block" but you don;t have any response clauses in the rule so they are simple Alert rules.
Just wanted to point that out in case anyone thought they could protect themselves by using these rules.....
We are still picking it up here, its just pulling malicious contect out. Not giving any specific identification of the virus. From the chars it seems to be MyDoom.
TigerShark:
d00h!
He absolutely right.
Those rules will NOT block! but can be easily modified to block. Those rules are just for detection.
thaks TS and DjM. i had done a manual update just prior to my post and it said their were no new updates available. following DjM's link and clicking on the download update it says this:
Intelligent Updater:
Virus Definitions created January 27
Virus Definitions released January 27
Norton AntiVirus Corp. Edition:
Defs Version: 60127f
Sequence Number: 27554
Extended Version: 1/27/2004 rev. 6
Total Viruses Detected: 64897
i hope that means b is the same. my server updates everyday at midnight.seems funny that if they had a definition for B yesterday that they didn't put it on their main page right away. i was under the impression it wasnt discovered until today
I can't seen to get my hands on the new def's either, keep getting the "your up to date message".Quote:
Originally posted here by Tedob1
thaks TS and DjM. i had done a manual update just prior to my post and it said their were no new updates available. following DjM's link and clicking on the download update it says this:
Intelligent Updater:
Virus Definitions created January 27
Virus Definitions released January 27
Norton AntiVirus Corp. Edition:
Defs Version: 60127f
Sequence Number: 27554
Extended Version: 1/27/2004 rev. 6
Total Viruses Detected: 64897
i hope that means b is the same. my server updates everyday at midnight.seems funny that if they had a definition for B yesterday that they didn't put it on their main page right away. i was under the impression it wasnt discovered until today
:confused:
[/edit]
If anyone feels lucky, Symantec just posted Beta def's for the new variant. You can download from HERE
yeah the defs on my server are dated the twenty-sixth. whats up with that. we pay eight Gs for this **** and wind up a day behind their 29.95 version
Mcafee has a tool, other than there virus protection to detect it and clean it. Go to www.nai.com and grab stinger. You can also use it to scan remote computers by putting in the UNC name \\usersmachine\c$ or mapping a drive letter to a users c$ share.
Just passing it on.
stingers been out for awhile lucky for them this is much like mimail which also listens on 3127.
eeye just released a scanner for this as well only their still says mimail scanner in the title bar. LoL cant let any body beat ya.
Well well well. How's life in the world of Mickeysoft??
When will companies learn that running Mickeysoft products is a time consuming and expensive affair?
And for the home users out there: sick and tired of viruses and worms?? Get Mandrake Linux - http://www.mandrakesoft.com. It's simply superior!
Viva Linux!
varange
a2 made a update that is supposed to detect the B variant -
http://www.emsisoft.com/en/
You can get the free version - it doesnt run in the background, only updates and scans.
AVG made a update for B to.. But why is Symantec only at the beta definitions? :confused:
From the antivir website:
Also, my friend just got infected. He received an email with the subject "Hi" and a zip file with a file called doc.pif in it. He didn't know what a pif was (kind of an obscure extension you must admit) and ran it. Ouch! Just about to take antivir on a cd along with symantec's removal tool to get rid of it.Quote:
* 2004-01-28
A new virus definition file is available at the download area.
* 2004-01-27
Warning: Worm/MyDoom is in the wild. A new virus definition file is available at the download area.
* 2004-01-26
Warning: Worm/Mimail.Q and Dumaru.Y are in the wild. A new virus definition file is available at the download area.
Cheers,
cgkanchi
Rubbish..... One instance of the virus entered my network. more than 2000 instances were stopped in the DMZ. The infection took about 3 minutes to clean even though the infected machine was in another domain 15 miles away. It was a pleasant diversion from the drudgery of network administration......Quote:
When will companies learn that running Mickeysoft products is a time consuming and expensive affair?
You clearly never ran a large Windows network..... And if you did you clearly weren't doing it right, Varange.
I have a question. I've skimmed through the thread but probably have missed this. Reading some of the traffic on the security email lists, there have been a couple of comments of MyDoom infecting the BIOS. (apparently two cases). Has there been any proof that it does do this (hearsay evidence may be actually other issues)?
I have to agree with Tiger Shark. I have worked in both mixed environments as well as windows only networks. As long as your network is well planned in the first place and you keep your system up to date most virus attacks are no more than minor problems which can be meet with well defined procedures.
I do not mistake my dislike of Microsoft for a dislike of their technology. When Linux is as widespread as windows, we will then see just as many attacks on Linux boxes as on windows boxes.
Ms Mittens as far as I know mydoom doesn’t attack the bios or rather I haven’t heard of it doing so.
MsM: I haven't heard anything about the BIOS either but I would say that with the high number of infections the probablility is high that other issues affecting the BIOS coincided with the infection of the PC.