Virus Alert: Novarg / MiMail / MyDoom

[ammo]

Originally posted here by Tiger Shark
Yes, it is spoofing the from. A large number of my users have received "your email has been rejected because of the MyDoom.A virus" when I know for a fact that they don't have it.

We've been getting some of those too, and what makes ME say they're spoofed is that most of those I received claimed to be "originaly" from [email protected]. That's just not possible however since the webmaster address is an alias (!) which is forwarded to the admins (partner and I) and we don't use that address when sending out (or even replying).


Ammo

[AngelicKnight]

Well, this topic brings up another question for myself and I'm sure a few other newbies. Mydoom attacks a particular port -- So how would you go about port scanning to find out what the status of that port is? I've never done port scanning, so I don't even know where to start, and that is a valuable tool that I really need to learn about. So what better time than this?

[DjM]

Looks like the first variant is on it's way. I just received this from Symantec.

Name: W32.Mydoom.B@mm
Category: 2
Virus Definitions: January 28, 2004 (US Pacific Time)
Type: Worm
Aliases: Mydoom.B [F-Secure], W32/Mydoom.b@MM [McAfee], WORM_MYDOOM.B
[Trend]

Symantec Security Response has received reports of this worm and will update
this document when more information is available.

DING....round two.

Cheers:

[Negative]

eWeek
The variant, which Kaspersky has labelled MyDoom.b, has a slightly larger payload compared with MyDoom.a and targets Microsoft Corp. for a denial-of-service attack to be launched starting on Feb. 1, instead of The SCO Group Inc. The worm features minor modifications to the text of the e-mail that carries it, but is otherwise identical to the original.

Here's the Kaspersky info on the b-variant.

[MrBabis]

Just a Databas
http://drweb.ru/news/

[Negative]

The Department of Homeland Security launched the National Cyber Alert System today, to provide information on internet threats.
More info/sign-up: http://www.uscert.gov/.

[Lanamor]

Looks like the virus is avoiding .mil and .edu domains. So far I'v only seen maybe 25 hits from our mail relays here on base.

[DjM]

Originally posted here by Negative
The Department of Homeland Security launched the National Cyber Alert System today, to provide information on internet threats.
More info/sign-up: http://www.uscert.gov/.

If you were previously subscribed to the CERT Advisory mailing list, you don't have to re-subscribe.

If you are a subscriber to this list, you will automatically receive the
technical version of US-CERT alerts (the Technical Cyber Security Alert)
through this list. No action is necessary on your part. If you are not a
subscriber to the CERT Advisory mailing list and wish to receive these
alerts, you must subscribe to the new US-CERT mailing list.

Cheers:

[gypsygeek]

Just came across this....


http://www.computerworld.com/securit...,89494,00.html

Quote

JANUARY 28, 2004 ( COMPUTERWORLD ) - A new variant of the Mydoom virus has just emerged, several security companies are reporting this afternoon.
Mydoom.b variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc., according to London-based security vendor Mi2g Ltd.


Symantec has not released updates as of yet
GG

[Tedob1]

norton dosen't mention 'B'. has the file been altered to not be detected by the 'A' type definition or will the current defs detect it but just label it wrong?