PDA

View Full Version : Win32.Mydoom.A (also known as W32.Novarg.A@mm) worm - warning


Stuartbe
27-01-2004, 09:09
This has just been sent to me by CA.

Be alert !!!!

------------------------------------------

Virus Alert Notification

Win32.Mydoom.A Worm
Alias: W32.Novarg.A@mm (Symantec),
W32/Mydoom@MM (McAfee),
Win32/Shimg
Category: Win32
Type: Worm
Published Date: 1/26/2004
Last Modified: 1/26/2004


CHARACTERISTICS

Win32.Mydoom.A is a worm spreading via e-mail and the Kazaa P2P file sharing network. The worm has been distributed as 22,528-byte, UPX-packed Win32 executable and may be included in a ZIP archive.

Method of Distribution

Via E-mail

The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension.

The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:

Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
Mail Transaction Failed
Server Request
Error

The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:

The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:

Data
Readme
Message
Body
Text
file
doc
document


Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.








Via P2P File Sharing

The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:

nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5

Possible extensions are:

bat
exe
pif
scr

Method of Installation

When executed, the worm copies itself to the %System% directory as taskmon.exe and modifies the registry in order to run at the next system re-start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \TaskMon = "%System%\taskmon.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The worm also creates a file called SHIMGAPI.DLL in the %System% directory. The dropped DLL registers itself in the registry:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\[Default] = "%System%\shimgapi.dll"

Payload

Backdoor Functionality

Win32.Mydoom opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199)

Analysis by Jakub Kaminski

Note: This is a preliminary analysis - further detail will be published as it comes to hand.

Jon M
27-01-2004, 09:14
I had over 500 of these blocked by our mail server filters this morning... you should all be able to get hold of updates from your anti-virus vendors, I suggest doing it ASAP!

Stuartbe
27-01-2004, 09:22
I had over 500 of these blocked by our mail server filters this morning... you should all be able to get hold of updates from your anti-virus vendors, I suggest doing it ASAP!

Me to m8.......

The funny thing is that the last email waiting to be sent from exchange had the warning in it :D

My Norton gateway software nabed over 300 of them :(

( Waits for hundreds of calls from lan users when they read the notification )

Its going to be a long long day...........

SOSAGES
27-01-2004, 09:59
i havnt recived one virus this year :( damn im going to have to get some less secure customers and give my users more power!


This afternoon, antivirus software vendors starting tracking a dangerous
new worm, dubbed MyDoom. Early indications are that MyDoom is spreading
rapidly and clogging up business networks and the Internet. For example,
McAfee has rated the virus as "High-Outbreak" for both corporate and
consumer users. Symantec rates MyDoom "4," it's second highest rating.

The volume of traffic could be much larger than last year's soBig
outbreak, which would make this virus worthy of the name soMuchBigger.
The sophistication of the virus is a reminder that hackers and virus
writers should be treated as criminals and not noble antisocialists.
Like Blaster, which delivered a delay mechanism for attacking
Microsoftâ₠¬â„¢s Windows Update on a certain date, MyDoom has a target: SCO.

MyDoom outbreak may turn out to be one of the more sophisticated viruses
in recent memory. The virus appears to use multiple avenues of attack
(e-mail for certain and possible file-sharing or remote-access programs)
harnesses the multitude of infect computers to attack a single host
(SCO) and protects the binaries with encryption (to thwart quick
antivirus response and damage assessment).

Delivery is via e-mail, typically as a message returned for some error.
Itâ₠¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢s almost habit for more experienced users to open such a mail and its
attachment to see which important message got bounced back. The tactic
clearly targets the kind of sophisticated user that normally wouldnââ‚Ã⠀šÃ‚¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢t
open such an e-mail attachment.

Apparently all Windows version from 95 on are susceptible to MyDoom, but
not Linux, Mac OS or Unix. People that use Outlook 2000 SP2 or later are
safest, as long as the default settings--these block the kind of
attachments carrying MyDoom--havenââ‚ƚ¬Ã¢â€žÂ¢t been changed. The greater danger
would be businesses running older versions of Outlook or consumer PCs
using e-mail, say, Outlook Express. Microsoft plans to add attachment
blocking to Outlook Express, but that update is months away.

Published warnings from antivirus vendors suggest a dangerous worm
potentially capable of spreading through file sharing or allowing remote
access through a port opened in infected systems. I would strongly
encourage system administrators seeking to eradicate an infection to
shut down all unneeded network services and to search for open ports on
compromised systems. Network administrators should start by checking
port 3127.

I strongly encourage network administrators to quarantine computers and
networks immediately. As a general practice, files with the extensions
.bat, .exe, .htm, .pif, .scr or .vbs should be blocked at the e-mail
client or server.

Antivirus companies are still investigating MyDoom, but what they have
found so far indicates the worm will be a tough clean-up. MyDoom changes
Windows Registry settings and dumps files in the KaZaA download
directory on computers with the peer-to-peer software installed.

http://www.microsoftmonitor.com/archives/002217.html (http://www.microsoftmonitor.com/archives/002217.html)

MetaWraith
27-01-2004, 10:02
More Info and a detection tool available here
http://www.datafellows.com/v-descs/novarg.shtml

Removal tool is not yet available, but when it is, it will be available from the same page.

Stuartbe
27-01-2004, 10:24
Wow :eek: It must be serios - Its made it to the top of CA's most dodgey list

Caspar
27-01-2004, 11:50
Ah!

Discovered on the 26th Jan 04 it's a mass mailing worm that will perform a DoS on the 1st Feb 04 for 12 days!, target unknown to me.

I've had about 6 reports of this this morning alone.

Read more about it at Symantec (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html)

Jon M
27-01-2004, 12:01
duplicate casper.. sorry mate.. same virus different name

http://forum.nthellworld.co.uk/showthread.php?t=6885

MetaWraith
27-01-2004, 12:04
Target Is SCO.COM see my post in the other thread.

Caspar
27-01-2004, 12:23
I need to get up earlier s1lv3r! :)

At least I spelt your name right tho! :p :)

Stuartbe
27-01-2004, 12:39
Wow :eek: It must be serios - Its made it to the top of CA's most dodgey list

AAARG - the helpdesk lines are going mad... My team have lost 78 calls in the last half an hour...... Deep Breath - **$*$*$* £*$*£* $**$*$*$ bloo** w****** son of a **** !!!!!!!........ virus writers

Ahhhhh thats better :)

I'm going home :walk:

Paul
27-01-2004, 14:06
You are not alone Stu - we have had a few this morning - a few copies got past our Mailsweepers before they updated - most were then caught by the individual exchange box AV systems but a few got past them as well. :(

Fortunately no one has run the attachment yet ...... <fingers crossed>

Stuartbe
27-01-2004, 14:25
You are not alone Stu - we have had a few this morning - a few copies got past our Mailsweepers before they updated - most were then caught by the individual exchange box AV systems but a few got past them as well. :(

Fortunately no one has run the attachment yet ...... <fingers crossed>

I feel for you m8 - we use symantec gateway security and it let 20-30 in overnight. The trouble is that our sales dept. have a policy of " oooo a file - lests double click it and see what happens "

I have stoped the ldap service for the mo. so if someone does click it at least it wont mail out using the address book. :D

Jon M
27-01-2004, 14:43
Admins, (pem/stuartbe) you shouldn't really be letting those through even WITHOUT anti-virus filters on the mail server/s.
There should also be filetype filters in place that either block all binary attachments.. or block specific extensions like .cmd, .pif, .bat etc.. also anything with a double extension like .doc.scr for example.

Naomi17
27-01-2004, 14:48
I immunised my system and found 1 in my registry help available here

http://www.sophos.com/virusinfo/analyses/w32mydooma.html (http://www.sophos.com/virusinfo/analyses/w32mydooma.html)

Stuartbe
27-01-2004, 14:49
Admins, (pem/stuartbe) you shouldn't really be letting those through even WITHOUT anti-virus filters on the mail server/s.
There should also be filetype filters in place that either block all binary attachments.. or block specific extensions like .cmd, .pif, .bat etc.. also anything with a double extension like .doc.scr for example.

Not allways practicle with xchange m8.... I have tech support staff that need to send all kinds of files to users.

Maybe pem can confirm but I dont think you can aply file filters on xchange for diferent OU'S ????

Jon M
27-01-2004, 15:04
OU's?
Depending on the size of your operation you should be able to deal with an incoming rule on exchange that affects a company of say.. 50 - 100 users without too much trouble (checking the parked area every hour or so).. any company bigger than that should be able to afford a more sophisticated server side solution

Stuartbe
27-01-2004, 15:09
OU's?

OU'S - organisational units - grouping users for security policy purposes.

If I was to apply filters to all the users I would be forever pestered with hundreds of requests to release files. FYI we have just over 3500 users served by the xchange server. I have been looking to migrate to Kerio mail server as you can have higher level control. I have kerio running on a brother site to this one and I rarely have as many problems with it as I do xchange.

Good old microsoft :D

Paul
27-01-2004, 15:13
AFAIK, we don't block any extensions on the internal exchange system - it would cause many operational problems - we are basically an IT company.

Incoming we do block certain extensions (actually we put them on hold for manual release by request). Outgoing we don't block anything - it is up to the receiver to check their mail, not us.

FYI, I don't support our actual e-mail system - just a couple of remote site exchange boxes specific to my division.

SOSAGES
27-01-2004, 15:15
im sure we all have our favs but trendmicro do a great email scanner for corps :)

that and giving users a slap when they open something stupid normally works for me =)

blocking attachments is more trouble than its worth in my experience i spose the key to it is better education for the users.

Stuartbe
27-01-2004, 15:17
im sure we all have our favs but trendmicro do a great email scanner for corps :)

that and giving users a slap when they open something stupid normally works for me =)

I prefer linking the server to a metal pad on the users seat - When they open a file :shocking:

MetaWraith
27-01-2004, 15:42
have you tried subliminal images flashing the messages - "work harder", "dont open email attachments", or maybe just employing BOFH's trusty cattleprod. :shocking:

Paul
27-01-2004, 15:55
..... or maybe just employing BOFH's trusty cattleprod. :shocking:

Oh, how I would love to ........ :)

Shaun
27-01-2004, 17:19
Oh, I just got one :shock:

Norton AntiVirus removed the attachment: message.pif.
The attachment was infected with the W32.Novarg.A@mm virus.

zoombini
27-01-2004, 17:43
Target Is SCO.COM see my post in the other thread.
This wouldnt have been programmed by a Linux user would it?

Russ
27-01-2004, 18:09
Cool! Novarg paid me a visit this afternoon supposedly from feedback1@askjeeves.co.uk but Norton caught it :)

Julian
27-01-2004, 19:19
It's made the news now too - Article (http://news.bbc.co.uk/1/hi/technology/3432639.stm) :eek:

iadom
27-01-2004, 19:39
Me too, just had my first one, apparently from Mail Deamon returning undeliverable email ( very sneaky)

My AV, Command from Authenium, had updated overnight so it was disinfected before I even got a look at it, and the attachment had been removed.

Ramrod
28-01-2004, 00:33
http://www.timesonline.co.uk/article/0,,1-979473,00.html

kronas
28-01-2004, 23:23
new variant aims to take down microsofts site.

http://story.news.yahoo.com/news?tmpl=story&cid=569&ncid=738&e=1&u=/nm/20040128/tc_nm/tech_worm_dc

iadom
30-01-2004, 22:22
My AV has updated deffiles four times in the past five days. If you don't have auto update you must check every day for new deffiles.

Have started to get scans on port 3127 CTX bridge port, which I think mydoom is set to attack. Have also had this recent batch of scans from an Ntl user, see attached jpeg. Also ports 1026 and 6129 are showing up more often, I believe that blaster may be the cause of this.

EDIT. that IP resolves direct to Winnersh????
EDIT #2 Just happened again, anyone know whats going on.:confused:

Paul
30-01-2004, 23:43
MyDoom does not attack port 3127 - it listens on it - any probes to your port 3127 are people trying to connect to the listening trojan.

That IP does appear to belong to the winnersh data centre - either they are scanning for infected pc's or someone in there is being a bit naughty.

iadom
30-01-2004, 23:52
I have just run Adaware but nothing found, then ran Pest Patrol, Search and Destroy and it found two files related to bridge

http://pestpatrol.com/PestInfo/b/bridge.asp

Have disinfected and will monitor.

MadGamer
31-01-2004, 00:24
I immunised my system and found 1 in my registry help available here

http://www.sophos.com/virusinfo/analyses/w32mydooma.html (http://www.sophos.com/virusinfo/analyses/w32mydooma.html) I saved that page in my favourites, just incase i get infected i lnow how to remove it.

MetaWraith
31-01-2004, 01:00
MyDoom does not attack port 3127 - it listens on it - any probes to your port 3127 are people trying to connect to the listening trojan.

That IP does appear to belong to the winnersh data centre - either they are scanning for infected pc's or someone in there is being a bit naughty.
I am in Winnersh area and havent had any such scans yet, so I think it's more likely to be the B Variant of Mydoom, which as well as having both SCO & macroshaft as its DoS targets also generates random ip addresses. It scans these addresses for an open port on 3127. If it finds one, it means it's most likely found a PC infected by the original virus,at which point it uses the backdoor within said virus to upload the new variant.

This could mean that Winnersh Data Centre is infected with the variant B, uh oh, time to rotate shield frequencies methinks.

Stuartbe
31-01-2004, 11:31
I am in Winnersh area and havent had any such scans yet, so I think it's more likely to be the B Variant of Mydoom, which as well as having both SCO & macroshaft as its DoS targets also generates random ip addresses. It scans these addresses for an open port on 3127. If it finds one, it means it's most likely found a PC infected by the original virus,at which point it uses the backdoor within said virus to upload the new variant.

This could mean that Winnersh Data Centre is infected with the variant B, uh oh, time to rotate shield frequencies methinks.

There is another thread running about this one.

Info : TCP Port 3127
Common Use
Used by the myDoom/Novarg virus as a backdoor port.

Inbound Traffic
myDoom was an incredibly fast spreading email virus that is due to DOS www.sco.com and www.microsoft.com. myDoom also installs a backdoor that listens on TCP port 3127 allowing a hacker to execute code remotely. TCP port 3127 traffic should be blocked by your firewall.

Outbound Traffic
Outbound scans if occurring in volume should be considered an indication of a possible infection or compromise on the source computer and should be investigated immediately.

Additional Information
http://www.cert.org/incident_notes/IN-2004-01.html

I have seen spoofed attacks from this worm so it may not be from NTL !

Florence
31-01-2004, 11:50
I arrived home from work on wednesday to find that I had a visitor to my website from Germany and within 15mins I was receiving emails with the worm from loads of different addresses all ending in .de. I reported it to my hosting company who started to monitor the situation and for a while I wasn't able to view my website it appeared the dns was down, this was when I was receiving around 50 emails in a few mins Nortons was catching them all on my pc until everything stopped. I have had a few on thursday and some friday but none since.
I did notice that on friday I seem to have had emails returned to me as if I had sent them. BUT they wasn't from me and had the wrong details before @. I have checked my pc with the removal tool that reported none was found. Just after the check I had two more emails returned again the wrong names before @ but from my ispr email addy which I never use to send emails out unless I am requesting information for a news post which at present I am not, they was also sent while I was in work and away from the pc.

Paul
01-02-2004, 22:53
I am in Winnersh area and havent had any such scans yet, so I think it's more likely to be the B Variant of Mydoom, which as well as having both SCO & macroshaft as its DoS targets also generates random ip addresses. It scans these addresses for an open port on 3127. If it finds one, it means it's most likely found a PC infected by the original virus,at which point it uses the backdoor within said virus to upload the new variant.

This could mean that Winnersh Data Centre is infected with the variant B, uh oh, time to rotate shield frequencies methinks.

Thank you meta - I had not yet caught up on all the bits of the B variant and hadn't seen that it scans for the A version. So yes, it looks likely they have an infected machine (or machines) in the winnersh dc.

MetaWraith
01-02-2004, 23:19
Thank you meta - I had not yet caught up on all the bits of the B variant and hadn't seen that it scans for the A version. So yes, it looks likely they have an infected machine (or machines) in the winnersh dc.
you're welcome.

btw
The BCC reports that Mydoom did succeed in crippling the SCO website, which doesnt bode well for Macroshaft on Tuesday.

http://news.bbc.co.uk/1/hi/technology/3449931.stm

The best antivirus defence is still the Mk-I Greymatter, from Naked Brain Enterprises, a Natural Resources Product. :rolleyes:

MadGamer
06-02-2004, 17:51
When will this virus actually be gone?

paulyoung666
06-02-2004, 18:02
When will this virus actually be gone?



never i would guess , although it would get less severe in time , ready for the next one to rear its ugly head :mad: :mad: :mad: :mad:

kronas
10-02-2004, 02:06
the new variant of the mydoom virus being dubbed as 'doomjuice' is starting to appear across machines which are infected with either of the first two worms.

it has already slowed the microsoft site down.

source: yahoo news

http://story.news.yahoo.com/news?tmpl=story2&u=/nm/20040209/tc_nm/tech_worm_dc

and so it continues :rolleyes:

EDIT:

'deadhat' is another varaint much like the 'doomjuice' virus, this spreads itself via peer to peer programs.

source cnetDownload Failed (1)

http://news.com.com/2100-7349_3-5156105.html?part=rss&tag=feed&subj=news

Tricky
10-02-2004, 08:47
the new variant of the mydoom virus being dubbed as 'doomjuice' is starting to appear across machines which are infected with either of the first two worms. <SNIP>



PSS Security Response Team Alert - New Worm: W32/Mimail@mm
SEVERITY: MODERATE

DATE: February 9, 2004

PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail

************************************************** ********************

WHAT IS IT?

Mydoom.C (also referred to as DoomJuice) is a variant of the Mydoom worm that attacks and infects only those systems which are currently infected with Mydoom.A. Customers who are not infected by Mdoom.A are not at risk from Mydoom.C. Customers who are currently infected with Mydoom.B are not at risk from Mydoom.C.

Mydoom.C also attempts to levy a denial of service attack against Microsoft properties. All Microsoft proprerties are available and stable. There is more information available at:

http://www.microsoft.com/security/antivirus/mydoom.asp

The Microsoft Product Support Services Security Team is issuing this alert to advise customers to be on the alert for this virus as it spreads in the wild. Customers are advised to review the information and take the appropriate action for their environments.

IMPACT OF ATTACK: Denial of Service

TECHNICAL DETAILS:

For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=38238

Network Associates:
http://vil.nai.com/vil/content/v_101002.htm

Symantec http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjui
ce.html

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOO
MJUICE.A


For more information on Microsoft's Virus Information Alliance please visit this link: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/topics/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION:

Mydoom.C propegates only to system that are currently infected by Mydoom.A by connecting on TCP port 3127. You can prvent infection by Mydoom.C by blocking access to TCP port 3127 (Note: The Internet Connection Firewall (ICF) in Windows XP blocks access to TCP port 3127 by default. In addition, you can prevent against infection by Mydoom.C by ensuring that you are not infected with Mydoom.A, either by preventing infection from Mydoom.A or by cleaning a system that has been infected by Mydoom.A as quickly as possible.

To prevent infection from Mydoom.A:

Outlook 2000 post SP2 and Outlook XP SP2 include the most recent updates to improve the security in Outlook and other Office programs. This includes the functionality to block potentially harmful attachment types. It can be configured to block Zip file attachments but does not do so by default.

To ensure you are using the latest version of Office click here: http://office.microsoft.com/ProductUpdates/default.aspx

By default, Outlook 2000 pre SR1 and Outlook 98 did not include this functionality, but it can be obtained by installing the Outlook E-mail Security Update. More information about the Outlook E-mail Security Update can be found here: http://office.microsoft.com/Downloads/2000/Out2ksec.aspx

Outlook Express 6 can be configured to block access to potentially-damaging attachments. Information about how to configure this can be found here: http://support.microsoft.com/?id=291387

Outlook Express all other versions: Previous versions of Outlook Express do not contain attachment-blocking functionality. Please exercise extreme caution when opening unsolicited e-mail messages with attachments.

Web-based e-mail programs: Use of an application-level firewall can protect you from being infected with this virus through Web-based e-mail programs.

To clean a system infected with MydoomA:

If Mydoom.A has infected computers in your organization, please contact your preferred antivirus vendor or Microsoft Product Support Services for assistance with removing it.

You can also use the Mydoom recovery tool that is detailed in Microsoft Knowledge Base article 836528 to remove the Mydoom.A and Mydoom.B worms from your system.

RECOVERY:
If your computer has been infected with this virus, please contact your preferred antivirus vendor or Microsoft Product Support Services for assistance with removing it.

TECHNET SECURITY LINK: http://www.microsoft.com/technet/security/virus/alerts/mydoomc.asp