-
Bitdefender claims that the payload has changed slightly to attack M$ but it doesn't mention a signature change specifically.
[edit]
Oh, and for those of you interested I found out what dropped the copy of VNC on the machine I got infected early in the life of MyDoom.
The dropper is a chap called Craig..... He is the contract admin for the sister agency's computers and he placed VNC on the machines at that remote location so he can manage them...... Sure got my little ticker racing..... One of the benefits of not having complete control of your network - You never know what the other admins are doing or find acceptable...... :(
[/edit]
-
I am not quite sure where symantic got the idea that the virus wasn't attacking .edu addresses, but it is. I work in a community college and we have received so many copies, that we brought the server down. Now we are running Guinevere, and it is working well.
-
Quote:
Originally posted here by Tedob1
norton dosen't mention 'B'. has the file been altered to not be detected by the 'A' type definition or will the current defs detect it but just label it wrong?
Symantec just posted some info on it Tebob1, check it out here.
They say the defs of January 28, 2004 will detect it, but they don't seem to mention how it will be detected. :confused:
Cheers:
-
These are the newest snort rules made, I think Ive eliminated any chance of false positives. I had started posting in another thread but I thnk me an 57 were the only ones reading it. I think these rules will actually block the new variant becasue there not based of subject of message but the actual virus which this portion is probably being reused, but I have not got the new variation yet so its not yet tested.
alert tcp any any -> any any (msg:"Virus - Novarg"; content:"|26 6a 6f 65 3f 6e 65 6f 2f|"; sid:31337; classtype:misc-activity; rev:1;reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
alert tcp any any -> any 25 (msg:"Virus - Novarg(1)"; content:"UPX";content:"JmpvZT9uZW8v";content:"b2xk"; sid:31338; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
alert tcp any any -> any 25 (msg:"Virus - Novarg(2)";content:"UPX"; content:"am9lP25l"; content:"bGQt"; sid:31339; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
alert tcp any any -> any 25 (msg:"Virus - Novarg(3)";content:"UPX"; content:"b2U/bmVv"; content:"ZC1Q"; sid:31340; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
-
Angel:
Er... You say "block" but you don;t have any response clauses in the rule so they are simple Alert rules.
Just wanted to point that out in case anyone thought they could protect themselves by using these rules.....
-
We are still picking it up here, its just pulling malicious contect out. Not giving any specific identification of the virus. From the chars it seems to be MyDoom.
-
TigerShark:
d00h!
He absolutely right.
Those rules will NOT block! but can be easily modified to block. Those rules are just for detection.
-
thaks TS and DjM. i had done a manual update just prior to my post and it said their were no new updates available. following DjM's link and clicking on the download update it says this:
Intelligent Updater:
Virus Definitions created January 27
Virus Definitions released January 27
Norton AntiVirus Corp. Edition:
Defs Version: 60127f
Sequence Number: 27554
Extended Version: 1/27/2004 rev. 6
Total Viruses Detected: 64897
i hope that means b is the same. my server updates everyday at midnight.seems funny that if they had a definition for B yesterday that they didn't put it on their main page right away. i was under the impression it wasnt discovered until today
-
Quote:
Originally posted here by Tedob1
thaks TS and DjM. i had done a manual update just prior to my post and it said their were no new updates available. following DjM's link and clicking on the download update it says this:
Intelligent Updater:
Virus Definitions created January 27
Virus Definitions released January 27
Norton AntiVirus Corp. Edition:
Defs Version: 60127f
Sequence Number: 27554
Extended Version: 1/27/2004 rev. 6
Total Viruses Detected: 64897
i hope that means b is the same. my server updates everyday at midnight.seems funny that if they had a definition for B yesterday that they didn't put it on their main page right away. i was under the impression it wasnt discovered until today
I can't seen to get my hands on the new def's either, keep getting the "your up to date message".
:confused:
[/edit]
If anyone feels lucky, Symantec just posted Beta def's for the new variant. You can download from HERE
-
yeah the defs on my server are dated the twenty-sixth. whats up with that. we pay eight Gs for this **** and wind up a day behind their 29.95 version
