There is a new mass-mailling virus doing the rounds.

W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm also contains functionality to perform as a proxy server. It listens on all TCP ports in the range 3127-3198.

The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.

Source:
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Yep.

I've been seeing instances of this since around 11 this morning.

I'm just stopping them dead at the front door though. With the right sendmail rules in place, the server just issues a 550 and tells the message sender to go away, and denies the traffic.

Here are some answers to questions you may have.

What Should I Do?

Users are advised to familiarise themselves with the appearance of the email, and as always never launch suspicious attachments in email.

W32/MyDoom-A arrives in emails with the following characteristics:
Subject lines include:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Attachment names include:
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attachment extensions:
bat
cmd
exe
pif
scr
zip

How Does It Work?
W32/MyDoom-A attaches itself to emails in either EXE (Windows program) or ZIP (Zip archive) format.
W32/MyDoom-A drops itself to your System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.
W32/MyDoom-A adds the value:
Taskmon = taskmon.exe
to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/MyDoom-A loads every time you logon to your computer.

Originally posted by 3cakes
What Should I Do?

Good advice, but far too complex. :)

1: Make sure that your AV sigs are up to date.

2: Treat everything as suspicious.

3: Don't open anything that looks suspicious.

Thanks for the info 3cakes - I've been deleting (via MailWasher) the little blighters today too on the basis of if it looks like a virus, walks like a virus and quacks like a virus then it probably is a virus :D

This virus is attempting to perform a form of dictionary attack too.

Just for grins, here's a few lines from my email server logs. Note that the name of the sender is spoofed, and the recipient name is generated by the the dictionary attack and doesn't exist.

Jan 27 16:19:17 giulia sendmail[29620]: i0R5JCf8029620: ruleset=check_rcpt, arg1=<sandra@redbacksweb.com>, relay=CPE-203-51-23-136.nsw.bigpond.net.au [203.51.23.136], reject=550 5.2.1 <sandra@redbacksweb.com>... Mailbox disabled for this recipient

Jan 27 16:19:17 giulia sendmail[29620]: i0R5JCf8029620: lost input channel from CPE-203-51-23-136.nsw.bigpond.net.au [203.51.23.136] to MTA after rcpt

Jan 27 16:19:17 giulia sendmail[29620]: i0R5JCf8029620: from=<jlinton@swiftel.com.au>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=CPE-203-51-23-136.nsw.bigpond.net.au [203.51.23.136]



There's quite a few like this: same recipient, same "sender", same source IP.

Enjoy :)

I got an e-mail on my Swiftel account and I actually opened the file (its the first e-mail virus that has convinced me to open it). What should I do now? I updated Norton before but it said it was unable to repair the file, so i'm not sure if it fixed it or not.

PS: How come we get this virus if no-one knows our Swiftel e-mail address?

Originally posted by alexd
I got an e-mail on my Swiftel account and I actually opened the file (its the first e-mail virus that has convinced me to open it). What should I do now? I updated Norton before but it said it was unable to repair the file, so i'm not sure if it fixed it or not.

What are you using as your email client? Did you open the attachment? There's a cleaning tool for this piece of malware at support.ca.com. Download and run that to see if you're actually infected.

PS: How come we get this virus if no-one knows our Swiftel e-mail address?

Perhaps someone at Swiftel is infected? it's happenned before.

Alternatively, if your username is a simple firstname (alex@...) this virus performs a dictionary attack using generic first names and the domain. See my posting above.

Ah,

Have a few suspect mail's in the queue listing...

Not the usual random@someplace to user@aol.com..

Richard

Richard

Originally posted by DSL_ENG
Ah,

Have a few suspect mail's in the queue listing...

Not the usual random@someplace to user@aol.com..

Richard

This seems to be generating simple dictionary email addresses for both the sender and recipient.

Filter on the subject line and you'll catch most of 'em; the problem ones are those with the "transaction failed" type of messages that might be ones you may be interested in seeing.

Originally posted by gstark
[B]What are you using as your email client? Did you open the attachment? There's a cleaning tool for this piece of malware at support.ca.com. Download and run that to see if you're actually infected.

Outlook Express... (I turn off the preview window), I tried saving the file to my HD to scan it first, but Norton just came up with a Virus Detected window as soon as I clicked 'save'. Thanks for the link, although I couldn't find the cleaning tool... what is it called?

did it actually let you save the file? if it detected the virus after you clicked save maybe it intercepted it before it did any damage?

Hi alexd

Here's the link for the cleaning utility gstark referred to -

http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=54593

I have the email,
bob@swiftdsl.com.au

and i have recorded over 300 instances of the virus. it must also be spoofing from addresses as my email since, i have been getting return to sender emails and emails telling me that i have a virus.

which i must say, i do not. used Nortons, checked using CA. 100% clean.

i am averaging about 30 emails per hour with virus attached.

W32/MyDoom-A
is a real nasty thing.

makes me hate linux more. :)

Originally posted by kyanite
I have the email,
bob@swiftdsl.com.au



That's a part of its dictionary attack. It's using names like bob, andrew, sandra, michael and appending @somedomain from the infected person's address book to them, and it's using those as both the target and the puported source of the viral email.


and i have recorded over 300 instances of the virus. it must also be spoofing from addresses as my email since, i have been getting return to sender


Yeah, I've given up even trying to count, but it's probably running at around 20 - 40 an hour at my server, although they're not getting any further than that.


W32/MyDoom-A
is a real nasty thing.

SWEN was far worse, with hits counting into several hundred/hour on my server, and two colleagues' servers were virtually brought to their knees.

And we all know about how well Telstra handled Swen. :)

Best idea is to filter the subject line based upon the content lines noted earlier in this thread. Just delete 'em on that basis; there's unlikely to be anything worth seeing with those subject lines.

Except maybe a "Hi" from Paris Hilton. :)

one thing I have noticed is that it appears to be trying to guess usernames. I am seeing lots of user unknowns in my mail logs....it seems to use common names like bob, fred, john, etc. etc.

Originally posted by Tux
one thing I have noticed is that it appears to be trying to guess usernames. I am seeing lots of user unknowns in my mail logs....it seems to use common names like bob, fred, john, etc. etc.

Yes. Please reread my comments about the dictionary attack.

no its probably got a list of what seem to be common first names hard coded into the virus that it uses to propigate itself to other servers.

Originally posted by Tux
no its probably got a list of what seem to be common first names hard coded into the virus that it uses to propigate itself to other servers.

Er, yes. That is precisely one form of a dictionary attack. There are other forms, but this is a common one.

so is there any way to stop the spam coming in other than deleting it?

Originally posted by smith
so is there any way to stop the spam coming in other than deleting it?

That depends.

If you run your own mailserver, then it depends upon the capabilities of the server. I'm running sendmail on a linux box, and it allows me to do quite a lot, to the point that my limitation is my own (lack of) knowledge. I'd really like to get some regular expression filtering going in there ...

If you don't run your own mailserver, then something like mailwasher (I think it does this) might help, whereby it scans the contents of your mailbox, allowing you to review what's there, and then you can choose to only download what you want, rather than everything that's there.

And just to keep you all on your toes, there is now a MyDoom.B variant.

This one is going to DoS microsoft.com.

Over the last 24 hour period we have recieved 705 emails containing viruses. MyDoom also gets some of its names from scanning files on you computer.

Hi smith

gstark is correct re MailWasher - with this program you can review your emails on the mail server before downloading them through your email client. Any emails you don't want can be deleted directly from the server - but don't "bounce" them (another MailWasher option) because as DSL_ENG points out this causes reverse spam.

Hope this helps

Bridget

amazing, i got my first novarg email on my yahoo account. remarkable. automatically deleted. it wouldn't even let me d/l, heh.

Originally posted by Delias
amazing, i got my first novarg email on my yahoo account. remarkable. automatically deleted. it wouldn't even let me d/l, heh.

Yahoo is actually filtering their groups on the basis of the subject line. Perhaps they're also filtering their general email in this manner too.

Originally posted by kyanite

W32/MyDoom-A
is a real nasty thing. [/B]

I was talking to someone recently about this virus. In their opinion it was all Microsoft's fault and that they should clean their act up.

Statements like makes me hate linux more. :) are just plain moronic .. you might as well hate Toyota or Ford because of all the car accidents, or that Boeing are the spawn of Satan because of 9/11.

Show me the "Linux user" who wrote the virus and I'll show you two piles of $250,000. As you were...

http://www.microsoft.com/security/antivirus/mydoom.asp

http://www.microsoft.com/security/antivirus/mydoom.asp#howtotell

Even better ..
http://vil.nai.com/vil/stinger/

Originally posted by davek
Even better ..
http://vil.nai.com/vil/stinger/

Or just don't use Outbreak!

Originally posted by gstark
Or just don't use Outbreak!

.. eh?

that's what I was going to say.

Gary, can you please expand on that or is this some esoteric code-word to initiate the downfall of humanity?

Originally posted by davek
.. eh?

Microsoft Outlook.

Don't use it.

Avoid it!

Kill it.



Use something else; it fits perfectly the definition of a "net": it's full of holes!

Don't use it, and you'll be surprised at how much more secure your email systems will become.


Capiche?

so it was a code word for a system that will bring down humanity.

Originally posted by 3cakes
so it was a code word for a system that will bring down humanity.

OutBreak is also a McAfee product ..

Avoiding Outlook is not the solution, though...

Avoiding Outlook is not the complete solution but it sure does help (-:

I use Magic Mail Monitor to inspect all emails before they get anywhere nere Outlook. I would use Eudora by choice but it's just too hard when syncing with an iPAQ.

In Magic Mail you can easily see the size of emails and that is usually all you need to indentify it as a virus. If not, you can just double-click and it will open in notepad, nice and safe. Your antivirus software should detect any viruses as the file hits your temp folder. Unlike MailWasher, Magic Mail is tiny and requires no installation. You could carry it around on a floppy or even run it from a floppy.

nPOP is another similar program that is also very small but allows for sending emails as well.

If you are using Outlook, make sure you NEVER use the preview pane (I think they made a spelling mistake, it should have been preview pain), it is a sure way to get yourself infected.