Check your virus definitions date! This will be an interesting one to watch. I wonder if it will take out Nordea like Blaster did?
It can generate 8 miljons of infected emails within 24 hours. This is twice as many as the Sobig.F was able to produce.
W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.
When the machine gets infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This will potentially allow a hacker to connect to the machine and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files.
The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.
More infromation: http://securityresponse.symantec.com/av ... [email protected]
Virus Alert: W32.Novarg.A@mm
See also F Secure for more details and protection.
http://www.f-secure.com/v-descs/novarg.shtml
They are a Finnish company btw...interesting to note that Unix is not affected/infected by it.
http://www.f-secure.com/v-descs/novarg.shtml
They are a Finnish company btw...interesting to note that Unix is not affected/infected by it.
No its not. Thats normal. Linux/UNIX is the platform of choice for most virus writers/hackers. Furthermore, because of the architeture of *UX's OS's (beign built around permissions rather than look), they are not as vulnerable as windoze. They are OTOH equally vulnerable to server vulerabilites (worms/exploits) when left unpatched.Peter Floyd wrote:...interesting to note that Unix is not affected/infected by it.
One thing that is interesting, is the way it tries to prolong its survival and tracability by avoiding sending directly to the following domains and email addresses with the following keywords:
When W32.Novarg.A@mm is sending email, it will avoid distributing to domains which contain any of the following strings:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
accounts that match any of the following strings:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
or accounts that contain any of the following strings:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
accoun
Its a great idea. Not exactly genius, but a nice attempt none-the-less.
Did you know F-Secure only have 2 resources who make virus definitions for their global products. Two guys, that is, who are based in Ruholahti and who work mon-fri, 9-5.Peter Floyd wrote: They are a Finnish company btw...interesting .
Not a company who's AV product I would choose to use in a hurry! I can hear it now
me on a Friday night at 6pm: "erm, I have 100,000 clients needing updated definitions"
them "our support line is open from 9am until 5pm, monday to Friday, please leave a message".
They are a Finnish company btw...interesting .... hehe! Yes. Very.
-
gavin
Maybe they all use F-Secure and they got infected on Sundauy/Monday, before the guys had had their Kahvi ja pulla!
I have had two, my email virus checker picked up one, but the other got through, but who in their right mind would open an .exe file from a stranger?
I don't know if my AV scanner would have picked it up as it never got that far!
BTW does anyone have a version of AVG free version 5 as an executable? I dislike the current free version as it now picks up the virus and then makes you run the scanner to remove it. I guess that is to encourage me to pay for the full version.
I have had two, my email virus checker picked up one, but the other got through, but who in their right mind would open an .exe file from a stranger?
I don't know if my AV scanner would have picked it up as it never got that far!
BTW does anyone have a version of AVG free version 5 as an executable? I dislike the current free version as it now picks up the virus and then makes you run the scanner to remove it. I guess that is to encourage me to pay for the full version.
-
Guest
-
Tom and Jerry
They (or he) started in 1990. It's very well possible they have only 2 persons for viruses. Isn't Mikko Hyppönen one of them?neil wrote:
Did you know F-Secure only have 2 resources who make virus definitions for their global products. Two guys, that is, who are based in Ruholahti and who work mon-fri, 9-5.
Not a company who's AV product I would choose to use in a hurry! I can hear it now
They are a Finnish company btw...interesting .... hehe! Yes. Very.
sometimes they are faster than Semantics, sometimes not.
The real-time scanner should pick it up when opened. I say 'should' as it depends if you have got the latest virus defs and that your AV vendor has provided defs (all the main players have in this case)dusty_bin wrote:I don't know if my AV scanner would have picked it up as it never got that far!
BTW does anyone have a version of AVG free version 5 as an executable? I dislike the current free version as it now picks up the virus and then makes you run the scanner to remove it. I guess that is to encourage me to pay for the full version.
If you are looking for an AV solution, use EZ AV from CA. Its not the best, but its free:
http://www...com/bb/viewtopic.php?t ... associates
Their VET scanning engine is not the best, but their realtime protection is not bad and post-infection options are good. They can clean memory resident files on-the-fly whereas for example Symantec require you to download specific virus removal utilities.
I am very security conscious at work.
If anyone sends me an attachment I am not expecting I will not open it.
Including my boss and co workers...
The emails with subject lines like 'your report it two weeks late' please fill in the attached template..is just an advanced form of social engineering that I will not fall for..
These guys are quite advanced; they even then spoof my employer’s gsm number and spam me with strange things like 'if you don't reply to this you will lose your job....
We'll see who has the last laugh
But on the Linux side.
I feel that Linux is more susceptible to viruses than MS is.
I mean if everyone has the source code available, exploits are obvious and plentiful.....BUT most of the Linux community play nice and have a common enemy(maybe enemy is harsh) and in general nix users are more knowledgeable about OS level spec.
Virus writing is an admirable skill, virus distribution is not.
I really hope that this is not the start of a virus posting forum.*pleading*
But if it is, I look forward to hitting my 10,000th post next month when I start forwarding all Security alerts from Bugtraq and work,,,
MOF
If anyone sends me an attachment I am not expecting I will not open it.
Including my boss and co workers...
The emails with subject lines like 'your report it two weeks late' please fill in the attached template..is just an advanced form of social engineering that I will not fall for..
These guys are quite advanced; they even then spoof my employer’s gsm number and spam me with strange things like 'if you don't reply to this you will lose your job....
We'll see who has the last laugh
But on the Linux side.
I feel that Linux is more susceptible to viruses than MS is.
I mean if everyone has the source code available, exploits are obvious and plentiful.....BUT most of the Linux community play nice and have a common enemy(maybe enemy is harsh) and in general nix users are more knowledgeable about OS level spec.
Virus writing is an admirable skill, virus distribution is not.
I really hope that this is not the start of a virus posting forum.*pleading*
But if it is, I look forward to hitting my 10,000th post next month when I start forwarding all Security alerts from Bugtraq and work,,,
MOF
On the Linux side....
Mydoom (eli Novarg) on aloittanut maailmanlaajuisen palvelunhyökkäyksen jokaisesta saastuneesta koneesta SCO-yrityksen www-palvelinta kohtaan. SCO on yksi suurimmista ja vanhimmista UNIX-järjestelmien toimittajista. http://WWW.SCO.COM näyttää kuitenkin edelleen toimivan normaalisti.
SCO on herättänyt julkista keskustelua laajalti, koska se väitti viime joulukuussa, että Linux-käyttöjärjestelmä väärinkäyttää koodia, johon SCO:lla on tekijänoikeudet. Tämän pelätään vievän Linuxilta sen ilmaisen ja vapaan luonteen. "Moni Linux-käyttöjärjestelmän käyttäjä tuntee itsensä uhatuksi – ja jotkut tuntevat ilmeisesti olevansa oikeutettuja iskemään takasin", toteaa F-Securen virustentorjuntayksikön johtaja Mikko Hyppönen.
Revenge of the Penguins?
I got eight of them in today, in weird batches; one set of four from Oz, one trio from some woman in the UK who apparently belongs to assholesonline, and one wild "floater" from godknowswhere. Norton snaffled them all up without any trouble. Why the duplicate attempts, though? Is this part of the M.O. of the worm?
SEMANTICS - hah! ... great name, but it's Symantec
Mydoom (eli Novarg) on aloittanut maailmanlaajuisen palvelunhyökkäyksen jokaisesta saastuneesta koneesta SCO-yrityksen www-palvelinta kohtaan. SCO on yksi suurimmista ja vanhimmista UNIX-järjestelmien toimittajista. http://WWW.SCO.COM näyttää kuitenkin edelleen toimivan normaalisti.
SCO on herättänyt julkista keskustelua laajalti, koska se väitti viime joulukuussa, että Linux-käyttöjärjestelmä väärinkäyttää koodia, johon SCO:lla on tekijänoikeudet. Tämän pelätään vievän Linuxilta sen ilmaisen ja vapaan luonteen. "Moni Linux-käyttöjärjestelmän käyttäjä tuntee itsensä uhatuksi – ja jotkut tuntevat ilmeisesti olevansa oikeutettuja iskemään takasin", toteaa F-Securen virustentorjuntayksikön johtaja Mikko Hyppönen.
Revenge of the Penguins?
I got eight of them in today, in weird batches; one set of four from Oz, one trio from some woman in the UK who apparently belongs to assholesonline, and one wild "floater" from godknowswhere. Norton snaffled them all up without any trouble. Why the duplicate attempts, though? Is this part of the M.O. of the worm?
SEMANTICS - hah! ... great name, but it's Symantec
"Passion is inversely proportional to the amount of real information available" (Benford's Law of Controversy)
-
Ace
Heres an English version:
from me 
BTW I use Fsecure we get it for free from school and in many cases they've been ahead of the game with viruses. They get aSEATTLE (Reuters) - MyDoom, the latest worm to infect computers over the Internet, has become the fastest-spreading attack since last summer's twin attacks by the Blaster worm and SoBig virus, computer security experts say.
Since appearing late Monday afternoon, the worm, also known as Novarg or Shimgapi, has spread rapidly, mostly in North America, accounting for one in nine messages globally, experts said on Tuesday. The volume of messages clogged networks and appeared to be concentrated in corporate environments, experts said.
Anti-virus experts said the worm was designed to attack the Web site of the SCO Group Inc., the small software maker suing IBM over the use of code for the Linux operating system, experts said on Tuesday.
In response, SCO, which has drawn the ire of many Linux advocates for its claims that Linux software includes copyrighted code from the Unix operating system, offered a $250,000 reward for "information leading to the arrest and conviction of those responsible for this crime."
The new worm is activated when unsuspecting recipients of an e-mail message open a file attachment that releases a virus.
An infected personal computer could then allow attackers to gain unauthorised access and use the computer to aid in an Internet attack to bring down SCO's Web site, said Oliver Friedrichs, senior manager at security company Symantec Corp.
"Certainly there's code in here to launch a denial-of-service attack against SCO on February 1," Friedrichs told reporters on a conference call.
BOUNTY OFFERED
SCO, based in Lindon, Utah, has already been targeted repeatedly with numerous denial-of-service attacks, which are used to flood a Web site with requests for information so that it overloads and shuts down.
"This one (MyDoom) is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organisations around the world," Darl McBride, SCO's chief executive, said in a statement. "We do not know the origins or reasons for this attack, although we have our suspicions. This is criminal activity and it must be stopped."
SCO claimed in lawsuit filed last March that International Business Machines Corp.'s customers and others are illegally using a version of the Linux operating system, a free operating system that software developers can modify.
The attacks from infected computers are scheduled to begin on February 1 and continue to February 12, Symantec said.
At risk are computers running the latest versions of Microsoft Corp.'s Windows programs and any e-mail program.
The worm doesn't exploit any flaws in Windows, but rather is designed to entice the recipient of an e-mail to open an attached file and run programs contained in the attachment.
The mass-mailing worm that arrives as an attachment with an .exe, .scr, .zip or .pif extension and can have a subject line of "test" or "status."
Users who receive the worm and simply ignore or delete it will be able to avoid any damage.
MyDoom also mails itself out to addresses in the victim's computer and is clogging mail servers and degrading network performance at companies, experts said.
The worm appears to have a random sender's address and subject line and sometimes contains an error message such as "The message cannot be represented in 7-bit ASCII and has been sent as a binary attachment."
Microsoft also offered two $250,000 bounties last November for information leading to the capture of those responsible for the Blaster worm and SoBig virus.
from me The short life and hard times of a Linux virus
Why aren't the existing Linux viruses[1] anything more than a topic for conversation? Why don't they affect you in your daily computing in the way that MS viruses affect Windows users?
There are several reasons for the non-issue of the Linux virus. Most of those reasons a Linux user would already be familiar with, but there is one, all important, reason that a student of evolution or zoology would also appreciate.
First, let's take a look at the way Linux has stacked the deck against the virus.
For a Linux binary virus to infect executables, those executables must be writable by the user activating the virus. That is not likely to be the case. Chances are, the programs are owned by root and the user is running from a non-privileged account. Further, the less experienced the user, the lower the likelihood that he actually owns any executable programs. Therefore, the users who are the least savvy about such hazards are also the ones with the least fertile home directories for viruses.
Even if the virus successfully infects a program owned by the user, its task of propagation is made much more difficult by the limited privileges of the user account. [For neophyte Linux users running a single-user system, of course, this argument may not apply. Such a user might be careless with the root account.]
Linux networking programs are conservatively constructed, without the high-level macro facilities that have enabled the recent Windows viruses to propagate so rapidly. This is not an inherent feature of Linux; it is simply a reflection of the differences between the two user bases and the resulting differences between the products that are successful in those markets. The lessons learned from observing these problems will also serve as an innoculation for future Linux products as well.
Linux applications and system software is almost all open source. Because so much of the Linux market is accustomed to the availability of source code, binary-only products are rare and have a harder time achieving a substantial market presence. This has two effects on the virus. First, open source code is a tough place for a virus to hide. Second, for the binary-only virus, a newly compiled installation cuts off a prime propagation vector.
Each one of these obstacles represents a significant impediment to the success of a virus. It is when they are considered together, however, that the basic problem emerges.
A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. Each of the above obstacles significantly reduces the reproduction rate of the Linux virus. If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning -- even before news reports start to raise the awareness level of potential victims.
The reason that we have not seen a real Linux virus epidemic in the wild is simply that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities; the reality is that there is no viable Linux virus.
Of course this doesn't mean that there can never be a Linux virus epidemic.[2] It does mean, however, that a successful Linux virus must be well-crafted and innovative to succeed in the inhospitable Linux ecosystem.
[1] Bliss is the only Linux-compatible virus seen in the wild. Staog is the first known Linux virus.
Atricle taken from:
http://librenix.com/?inode=21
Why aren't the existing Linux viruses[1] anything more than a topic for conversation? Why don't they affect you in your daily computing in the way that MS viruses affect Windows users?
There are several reasons for the non-issue of the Linux virus. Most of those reasons a Linux user would already be familiar with, but there is one, all important, reason that a student of evolution or zoology would also appreciate.
First, let's take a look at the way Linux has stacked the deck against the virus.
For a Linux binary virus to infect executables, those executables must be writable by the user activating the virus. That is not likely to be the case. Chances are, the programs are owned by root and the user is running from a non-privileged account. Further, the less experienced the user, the lower the likelihood that he actually owns any executable programs. Therefore, the users who are the least savvy about such hazards are also the ones with the least fertile home directories for viruses.
Even if the virus successfully infects a program owned by the user, its task of propagation is made much more difficult by the limited privileges of the user account. [For neophyte Linux users running a single-user system, of course, this argument may not apply. Such a user might be careless with the root account.]
Linux networking programs are conservatively constructed, without the high-level macro facilities that have enabled the recent Windows viruses to propagate so rapidly. This is not an inherent feature of Linux; it is simply a reflection of the differences between the two user bases and the resulting differences between the products that are successful in those markets. The lessons learned from observing these problems will also serve as an innoculation for future Linux products as well.
Linux applications and system software is almost all open source. Because so much of the Linux market is accustomed to the availability of source code, binary-only products are rare and have a harder time achieving a substantial market presence. This has two effects on the virus. First, open source code is a tough place for a virus to hide. Second, for the binary-only virus, a newly compiled installation cuts off a prime propagation vector.
Each one of these obstacles represents a significant impediment to the success of a virus. It is when they are considered together, however, that the basic problem emerges.
A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. Each of the above obstacles significantly reduces the reproduction rate of the Linux virus. If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning -- even before news reports start to raise the awareness level of potential victims.
The reason that we have not seen a real Linux virus epidemic in the wild is simply that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities; the reality is that there is no viable Linux virus.
Of course this doesn't mean that there can never be a Linux virus epidemic.[2] It does mean, however, that a successful Linux virus must be well-crafted and innovative to succeed in the inhospitable Linux ecosystem.
[1] Bliss is the only Linux-compatible virus seen in the wild. Staog is the first known Linux virus.
Atricle taken from:
http://librenix.com/?inode=21