_GOTOBOTTOM
Site Talk
Site announcements, comments, or feedback about the site.
WARNING New e-mail bug
flitzer
Visit this Community
England - North West, United Kingdom
Joined: November 13, 2003
KitMaker: 2,240 posts
Armorama: 808 posts
Posted: Tuesday, January 27, 2004 - 04:13 AM UTC
Hi all,
my e-mail received 3 messages that matched those described in the report below.
Thankfully they looked strange so I binned them.
-------------------------------------------------------------------------------------------------------------------
E-Mail Worm Clogging Network Traffic
Tue Jan 27, 5:18 AM ET
By MATTHEW FORDAHL, AP Technology Writer

SAN JOSE, Calif. - Network administrators were working to stop a fast-spreading e-mail worm that looks like a normal error message but actually contains a malicious program that spreads itself and installs a program that leaves an open door to infected computers.

The worm — called "Mydoom," "Novarg" or "WORM_MIMAIL.R" — was replicating itself so quickly that some corporate networks were clogged with infected traffic within hours of its appearance Monday. Its mail engine could send out 100 infected e-mail messages in 30 seconds, experts said.

It runs on computers running Microsoft Corp.'s Windows operating systems, though other computers were affected by slow network and a flood of bogus messages. About 3,800 infections were confirmed within 45 minutes of its initial discovery, according to the security firm Central Command.

"This has all the characteristics of being the next big one," said Steven Sundermeier, Central Command's vice president of products and services.

It appeared to first target large companies in the United States — and their computers' large address books — and quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.

"As far as I can tell right now, it's pretty much everywhere on the planet," said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."

"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, senior director of research at the computer security company Symantec.

Subject lines also vary but can include phrases like "Mail Delivery System" and "Mail Transaction Failed." The attachments have ".exe," ".scr," ".cmd" or ".pif" extensions, and may be compressed as a Zip file.

Besides sending out tainted e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

Symantec said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers. Network Associates, however, did not find the keylogging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

Symantec also found code that would flood The SCO Group Inc.'s Web site with requests in an attempt to crash its server, starting Feb. 1. SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux (news - web sites) operating system in an intellectual property dispute. An SCO spokesman did not return a telephone call for comment Monday.

Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.

Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.

"This is entirely a case of what we would call social engineering — enticing users to take actions that are not in their best interest," he said.

Mydoom isn't the first mass-mailing virus of the year. Earlier this month, a worm called "Bagle" infected computers but seemed to die out quickly. So far, it's too early to say whether Mydoom will continue to be a problem or peter out, experts said.

 "Over the next 24 to 48 hours, we'll have a much better sense," Trilling said. "Right now, the trend is only up."

On the Net:

Microsoft security tips: http://www.microsoft.com/security/protect/default.asp

Associated Press Business Writer Allison Linn in Seattle contributed to this report.
------------------------------------------------------------------------------------------------------------
Be wary.
Cheers
Peter

==)
brandydoguk
Visit this Community
England - North, United Kingdom
Joined: October 04, 2002
KitMaker: 1,495 posts
Armorama: 234 posts
Posted: Tuesday, January 27, 2004 - 06:44 AM UTC
I have been getting loads of these e-mails lately. Today I have had about 40 of them. The first few I got my Norton anti virus spotted they had viruses attached so now I delete any of that type that I get. They are a real pain in the arse.
staff_Jim
Staff MemberPublisher
KITMAKER NETWORK
Visit this Community
New Hampshire, United States
Joined: December 15, 2001
KitMaker: 12,571 posts
Armorama: 6,599 posts
Posted: Tuesday, January 27, 2004 - 07:17 AM UTC
For some reason our "[email protected]" address is getting a ton of these. It seems to hit you with a bunch so that you will think that indeed your system is already infected and put you into a panic (so you will open or execute their attachments).

Jim
firemann816
Visit this Community
Alabama, United States
Joined: September 14, 2003
KitMaker: 790 posts
Armorama: 0 posts
Posted: Tuesday, January 27, 2004 - 03:19 PM UTC
a lot fo mass mailers harvest email addresses from browser cache files in addition to the usual sources, the polls address may be on a high traffic page andfall victim because of this. The sender address is forged, as far as the ones we've inspected on my 500 node network today.
Thanks to Armorama for sharing this important note with the community.
Posted: Tuesday, January 27, 2004 - 03:48 PM UTC
High traffic page = that would be the homepage

I removed it because I don't really get many people sending suggestions anyways.

Jim
flitzer
Visit this Community
England - North West, United Kingdom
Joined: November 13, 2003
KitMaker: 2,240 posts
Armorama: 808 posts
Posted: Tuesday, January 27, 2004 - 05:54 PM UTC
I had another 4 waiting for me this morning like little time bombs.
I would stress to anyone reading the report to take note of the 'Descriptions' and the titles, so you can recognise them.
If in doubt trash them without opening. And ALWAYS EMPTY THE TRASH. No point leaving them, even in the trash.
Good luck.
One more point....I use Mac, and most viruses are designed for PC's, so I may not be as affected as most, but better safe than sorry. Eyes peeled lads.
Peter
brandydoguk
Visit this Community
England - North, United Kingdom
Joined: October 04, 2002
KitMaker: 1,495 posts
Armorama: 234 posts
Posted: Tuesday, January 27, 2004 - 11:12 PM UTC
If anybody thinks they may have this virus there is a download at symantic home page called FxNovarg that is designed to find the little **** I suspected that it was on my PC but Norton scans failed to find it so I tried the aforementioned download and bingo, it found and and removed it in a couple of minutes. Since then no problem e-mails at all.
flitzer
Visit this Community
England - North West, United Kingdom
Joined: November 13, 2003
KitMaker: 2,240 posts
Armorama: 808 posts
Posted: Wednesday, January 28, 2004 - 05:53 PM UTC
Hi all,
Brandydog gave this very good advise. But its not compatible for Mac's, so if you are like me, I'll try and find an equivalent fix.

[If anybody thinks they may have this virus there is a download at symantic home page called FxNovarg that is designed to find the little **** I suspected that it was on my PC but Norton scans failed to find it so I tried the aforementioned download and bingo, it found and and removed it in a couple of minutes.]

Another 14 little *******'s waiting for me this morning. Until I find a fix, I'm binning anything I don't recognise.
Good luck.
Cheers
Peter
 _GOTOTOP