Norvag.A Worm cat 4 & mimail.Q cat 2 !!!

[Tyby]

mda ... se pare ca treaba se impute rapid

in ultimile 8 ore au aparut 2 noi virusi mai "rai":

W32.Novarg.A@mm - symantec rated cat 4 / 5

Security Response is currently investigating a new mass-mailing worm. Initial submissions have been received with file extensions of .exe, .pif, .scr, and .zip. Additional information will be made available as soon as possible.

W32.Mimail.Q@mm - symantec rated cat 2 / 5

W32.Mimail.Q@mm is polymorphic in nature and is similar to W32.Mimail.A@mm. The worm creates a polymorphically modified version of itself as Sys32.exe and a static version of itself as Outlook.exe, which Symantec previously detected as W32.Mimail.Gen.

The worm attempts to send itself by email to the email addresses found on the system. The message body and subject lines can vary.

The worm may also display a dialog box prompting you for your personal information to steal e-gold account information, and attempt to steal other system information.

More info: http://securityresponse.symantec.com/

PS: ca idee, nu a fost nici un virus rated cat 5 pana acum, deci cat 4 suna cam urat!!!

[branix]

Atata vreme cat nu exploateaza nimic facut de M$ prin intermediul retelei eu ma multumesc si cu Welchia.

[Tyby]

Link pentru utilitarul de devirusare de la Symantec:

http://securityresponse.symantec.com/av ... Novarg.exe

Downloadati (141 KBytes) si utilizati instructiunile de la:

http://www.symantec.com/avcenter/venc/d ... .tool.html

More info:

http://www.math.org.il/newworm-digest1.txt

What is this mass-mailer worm?
------------------------------
This worm arrives in your Inbox as an attachment. The subject of the email changes, and the body contains one of the following lines:
- "The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment."
- "The message contains Unicode characters and has been sent as a binary
attachment."
- "Mail transaction failed. Partial message is available."

The attachment can be one of a few file types: EXE, PIF, CMD, SCR and very often as a ZIP archive.

This worm is supposed to perform a DoS attack against http://www.sco.com and acts as a backdoor, listening on port 3127.

The worm is built of an EXE and a DLL file, and it is packed with UPX.


Spreading
---------

The worm spreads via email and by copying itself to the Kazza shared folder on a victim's machine, if one exists.

The worm is set to die on February 12th, 2004

The spreading speed of this worm was amazing. It hit the Internet hard and it hit it fast.

MessageLabs (which obviously detected the worm heuristically – it's how their system works) show an incredible amount of emails, check out:
http://www.messagelabs.com/viruseye/inf ... m%2EA%2Dmm ?

Some more fun statistics at RAV: http://www.rav.ro/ravmsstats/

As reported by MessageLabs:
-----
Currently we estimate we will hit 1,000,000/day, which is Sobig.F levels.
Interesting that there was a 6 hour gap after we stopped our 1st copies.
Perhaps these were seeds (haven't checked yet)

Month Day Hour Count
----------- ----------- ----------- -----------
1 26 13 2
...
1 26 19 252
1 26 20 4292
1 26 21 27491
1 26 22 53203
1 26 23 54926
1 27 0 51668
1 27 1 51774
1 27 2 50311
1 27 3 50586
1 27 4 52700
-----

I believe we all know how serious this worm is (still is to a level), so let's skip to the next part.


Is this a Mimail variant?
-------------------------

Despite original assumptions, it turns out that the code has nothing in common with the MiMail strain.

[branix]

One thing: daca face DOS catre http://www.sco.com (presupun ca prin http din ceea ce scrie la Symantec.com) din data de 1 februarie pana in 12, incearca sa se conecteze direct sau si stie si proxy?

Nu am gasit nici o referinta catre asa ceva, inca.

[victor]

deja cred ca l-am primit in cateva zeci de exemplate

[Tyby]

Atentie - a aparut varianta Novarg.B (cu un nou nume)

W32.Mydoom.B@mm:

http://www.symantec.com/avcenter/venc/d ... .b@mm.html

Succes!

cateva zeci!? poate cateva sute! PE ORA!

[branix]

Statistica pe care am vazut-o era ceva de genul: 1 din 12 mesaje sunt infectate. Este pe news.com.com, sau pe newsforge.com

[originaltup]

E deja haios, eu mi-am trimis mie niste mailuri si erau infectate Ma rog, mai degraba haz de necaz.

[sl0bizz]

WTF, primesc spam cam 50 pe zi, le mai rade MSN automat si din filtre, dar nu am primit nici uin virus dintr-asta nou. Sint bombardat cu Swen, dar nu cu asta.
Cum adica ti-ai trimis si le-ai primit infectate? Adica mesajele nu se infecteaza pe drum, deci tu ai virusul, dar ai si antivirus, de vreme ce stii ca le primesti inapoi virusate. Si cele doua se inteleg bine intre ele? Intrebarea corecta e: care din cele doua e mai enervant?
Am antivirus, am definitia la zi, virusul nu e de o subtilitate extraordinara, trebuie sa nu deschizi atasamente, ceea ce nu fac niciodata, sau fisere 'vesele" de pe kazaa, pe care nu l-am instalat; presupunind ca virusul anihileaza antivirusii (cee ce nu se intimpla), nu aveam de unde sa il iau.
As putea fi infectat fara sa stiu si de asta nu aflu de noi mesaje virusate?
Pe de alta parte, am inteles ca virusul nu ataca Hotmail-uri, dar nu stiu parerea lui despre @msn.com si @yahoo.com. Poate sint imun

[Tyby]

1. adresa expeditorului este faked ... so ...

2. original: filtrele AV de pe hardnet nu au lasat nici un virus sa treaca prin ele pana acum

3. nu cred ca hotmail / yahoo sa prinda ...

4. slobizz ... fa o verificare la AV ... exista si posibilitatea sa fi fost omorat de vreun virus si acu sa stea ca neatent' si sa nu raporteze nik ... mika, dar exista ...

[Dan]

SCO - a picat.

[Tyby]

era imposibil sa nu pice ... orice ar fi facut ... cea mai buna solutie probabil ca a si fost adoptata: scoaterea serverelor off-line ... si "palparea" atacurilor ... apoi probabil ca urmeaza filtrele de rigoare direct in teava ...

eu as miza pe MAX 2-3 zile pana la SCO on-line ... in nici un caz pana pe 12 febr ..

Sunt curios cum va reactiona MS incepand cu 3 febr (varianta B a virusului, desi mai putin "virulenta" va ataca SCO si MS incepand cu 3 februarie).


Hmmm ... this is NOT good!

[Tyby]

http://www.reuters.com/newsArticle.jhtm ... ID=4256399