• Hi Guest: Welcome to TRIBE, the online home of TRIBE MAGAZINE. If you'd like to post here, or reply to existing posts on TRIBE, you first have to register. Join us!

New Mydoom e-mail virus threatens computers

Boss Hog

TRIBE Member
New Mydoom e-mail virus threatens computers


VANCOUVER (CP) — A new computer virus spread via e-mail was detected today and an expert says it could quickly clog the Internet and open personal computers to data theft.

The virus, dubbed Mydoom, was confirmed around 4 p.m. EST by technicians at Network Associates Inc., which produces and maintains the McAfee antivirus program, Canadian general manager Jack Sebbag said from Montreal.

Symantec Corp., which markets the Norton antivirus program, also posted an alert for the new virus, which it called Norvag.

It said Microsoft Windows operating systems except 3.x were vulnerable but the virus does not affect DOS, Linux, Macintosh, OS/2 or Unix-run computers.

"It's a mass-mailer, meaning it will send at random the e-mail and replicate itself to folks on your personal address book," said Sebbag.

The worm-type virus is contained in an innocuous-looking e-mail attachment and degrades performance on the computer.

The icon used by the file tries to make it appear the attachment is a text file, according to Network Associates' notice. It then copies itself to the local system and sends itself to everyone in the user's e-mail address book.

Symantec's posting said the worm also copies itself to the Kazaa music download directory using various file names.

As more machines are infected Mydoom could slow down the entire Internet "and that's where the real problem starts to hit," said Sebbag.

He said the virus also appears to have a keystroke-logging capability, "meaning that somebody can actually take over your PC."

"Right now it's not a very big deal but it does have that capability so the worm can actually log into your machine and take it over and steal information."

The worm opens a connection on one of the computer's communication's ports, suggesting remote-access capabilities.

"It's a form of spyware," Sebbag said.

Users will know the computer is infected if Notepad is opened and filed with nonsense characters.

Symantec said once found, the worm appears easy to contain and not hard to remove.

Sebbag said the origin of the virus was not known yet but it may have come from North America or Europe.

Network Associates' lab began receiving large samples of the virus from its product users early Monday afternoon.

"That's why we rated the alert status to high," he said, adding it's too early to tell how widespread the virus has become. "It's in the hundreds of thousands at this point."

Sebbag said based on the number of samples his firm has received, Mydoom seems to be spreading as fast or faster than last year's SoBig virus.

Symantec also rated the speed of infection as high.

Last summer, SoBig quickly tied up e-mail systems and slowed down networks but did not damage computers or their data. It followed similar earlier attacks by viruses called LovSan and Blaster.

McAfee software users can find a update to combat the virus at http://www.nai.com, while Norton users can find help at http://www.symantec.com.
 

sweet_e

TRIBE Member
my McMaster account got shut down cuz of this. Now how am i supposed to know if i have to go in tomorrow?
 
tribe cannabis accessories silver grinders

alexd

Administrator
Staff member
Virus Profile
Virus Information
Name: W32/Mydoom@MM
Risk Assessment
- Home Users: High-Outbreak
- Corporate Users: High-Outbreak
Date Discovered: 1/26/2004
Date Added: 1/26/2004
Origin: Unknown
Length: 22,528 bytes
Type: Virus
SubType: E-mail
DAT Required: 4319

Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Buy or Update
New Users Get Protected Now:
Buy VirusScan
Update VirusScan
Virus Characteristics

This is a mass-mailing worm that arrives in an email message as follows:

From: (spoofed)
Subject: (Random)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

The icon used by the file tries to make it appear as if the attachment is a text file



When this file is run it copies itself to the local system with the following filenames:
c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
%SysDir%\taskmon.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It also uses a DLL that it creates in the Windows System directory:

It also uses a DLL that it creates in the Windows System directory:
%SysDir%\shimgapi.dll (4,096 bytes)

It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The worm opens a connection on TCP port 3127 suggesting remote access capabilities.

AVERT is currently analyzing this the threat. Details will be posted, as they are available.
Indications of Infection
Upon executing the virus, Notepad is opened, filled with nonsense characters.
Existence of the files and registry entry listed above
Method of Infection

This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system. Files with the following extensions are targeted:
wab
adb
tbb
dbx
asp
php
sht
htm
txt

Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.


Aliases
Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32/Shimg (CA), WORM_MIMAIL.R (Trend)
 

why not

TRIBE Member
From: (spoofed)
Subject: (Random)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

that's the one.
at least fifty of these have appeared in my email since monday afternoon.
annoying.

interesting that it's spreading through kazaa, maybe it's from the RIIA. weren't they talking about making viruses or something a while ago?
 
tribe cannabis accessories silver grinders

deep

TRIBE Member
The interesting thing about this worm is that on Feb 4 I believe, it uses infected computers to launch a denial of service attack on SCO.com . So the worm is obviously the doing of some disgruntled lun1x geek, or atleast made to look that way.

Someone tried sending me an attachment yesterday infected with this worm but my email provider's virus scanner picked it up and nuked it.
 

Syntax Error

Well-Known TRIBEr
Originally posted by deep
The interesting thing about this worm is that on Feb 4 I believe, it uses infected computers to launch a denial of service attack on SCO.com .

you stole that post from me!! prepare to be sued.
 
tribe cannabis accessories silver grinders

PosTMOd

Well-Known TRIBEr
When will someone invent one that kills the people who open attachments?

That would get rid of the stupids really quickly.
 

why not

TRIBE Member
Originally posted by Cheer Bear
I got 4 already, including one from myself?!

apparently it's making up addresses that look like it came from yourself.
since yesterday i've probably recieved over 200 of these.
 

ian

TRIBE Member
Originally posted by why not
apparently it's making up addresses that look like it came from yourself.
since yesterday i've probably recieved over 200 of these.

Yup, not only will it send ones from yourself, but it will also act as though it is returning something you tried to send. Sneaky little bastard.

-ian g.
 
tribe cannabis accessories silver grinders

billy

TRIBE Member
I knew this thing was coming and it hit us at work today. We can't peg it down but some dumbass did open the file so we had to shut down all our machines and do virus sweeps on everything. Big pain in the ass.
 
tribe cannabis accessories silver grinders
Top