Jump to content
Sign in to follow this  
nlinecomputers

Viruses Worms Trojans ... Oh, my!

Recommended Posts

My wife's work place is apparently, infected. I've gotten several (filtered) messages on two news groups I post on. Man your battle stations. Man your battle stations!

Share this post


Link to post
Share on other sites

This virus apprantly is designed to do a DDOS attack on SCO!

New virus infects PCs, whacks SCOBy Robert LemosStaff Writer, CNET News.comhttp://news.com.com/2100-7349-5147605.htmlStory last modified January 26, 2004, 5:58 PM PSTA mass-mailing virus quickly spread through the Internet on Monday, compromising computers so that they attack the SCO Group's Web server with a flood of data on Feb. 1, according to antivirus companies.The virus--known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies--arrives in an in-box with one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment." "It's huge," said Vincent Gullotto, vice president of security software maker Network Associates' antivirus emergency response team. "We have it as a high-risk outbreak."In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company has already shut down its e-mail gateway to stop the virus.Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting Feb. 1, a virus researcher said on the condition of anonymity.The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.The company's Web site was slow to load on Monday afternoon, a SCO spokesperson acknowledged, but the site was still accessible from the World Wide Web.SCO's Web site was taken offline by denial-of-service attacks a handful of times in the last year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathizers for at least one of the attacks.Antivirus companies were scrambling on Monday afternoon to learn more about the virus, which started spreading at about noon PST. The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP."A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.  The virus installs a Windows program that opens up a "back door" in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."Early data indicated an epidemic several times the size of the Sobig.F virus, which caused widespread infections last summer, said Scott Petry, a vice president of engineering at e-mail service provider Postini."At its current run rate, we will trap almost 8 million in a day," Petry said. The company quarantined only 1,400 copies of Sobig.F in its first day and 3.5 million copies of the virus during that epidemic's peak 24-hour period.Mail systems that remove executable files from e-mails can stop the program from spreading.

Share this post


Link to post
Share on other sites

Sure, create a 'virus' have it attack SCO and make it look like the Linux community is behind it. Figures they'd pull a stunt like that as a smoke screen.I don't believe a word of it.

Share this post


Link to post
Share on other sites
MyDoom virus hammering Windows systems(thanks for the link jodef! :'( thought we should have it here too!)
SECOND UPDATE A new Windows virus, called MyDoom (officially, W32/Mydoom@MM) and circulating in the form of a 32K Zip file, began hitting corporate and private e-mail boxes Monday at about 1 p.m. Pacific Standard Time. It masquerades as a Kazaa P2P component and tries to embed itself in the Kazaa shared folder for music and other file-swapping.
It was quickly spreading Monday through email and the Kazaa network, the latter of which averages anywhere from 2 million to 5 million users at any given time.F-Secure, an Internet security software maker based in Finland, came out with a detailed report later Monday afternoon in which it said "the worm opens Notepad with garbage data in it. It also attacks SCO.com with a DDoS-attack."
KaZaA users, beware!!

Share this post


Link to post
Share on other sites
New e-mail worm breaks infection records.E-mail carrying the Mydoom virus now accounts for one in every 12 messagesA new computer virus that spreads using e-mail messages is breaking records for new infections set by the last major e-mail worm, Sobig.F, according to leading antivirus software companies and e-mail security firms.Infected e-mail messages carrying the Mydoom virus, also known as "Shimgapi" and "Novarg," have been intercepted from over 142 countries and now account for one in every 12 e-mail messages, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Ltd.
Full Text at InfoWorld

Share this post


Link to post
Share on other sites

Since this morning I have received a total of 86 BLOCKED emails containing viruses. Most of them being the MyDoom virus. Thankfully my web/email host has strong virus protection that scans all incoming and out going email and sends a message saying what was blocked and what virus it had... Nice being on my Mac, safe and secure from this latest attack. Though I feel the effects like everyone else, full mail box, and slow connections.

Edited by Arena2045

Share this post


Link to post
Share on other sites

That's amazing Nathan!Thankfully our ISP also updated their AV software on their mail server and I haven't seen any more of them. :thumbsup:Received 8 in total before the AV software on the mail server was updated.One of the 8 was forwarded to me from a client saying they thought this email was one of the virus emails I mentioned in the newsletter alert and basically wanted me to confirm this for them. :'(

Share this post


Link to post
Share on other sites

Yes..my wife's computer got hit by MyDoom this am, spent 2 hours cleaning up the mess...apparently had e-mail client to auto open..(and forgot about AV updates..and somehow got changed from auto to manual)what a pain!...Took incredimail off in gave her thunderbird...but it could be worse..out of 12 home computers only one infected..oh what a morning :'(

Share this post


Link to post
Share on other sites

Good move on changing wife's computer from Incredimail (GAG!) to Thunderbird.One of my sisters uses Incredimail -- love my sister, but her choice of email client! LOL! Gawd I hated receiving those emails when I used to use OE! Made me really dislike Incredimail.

Share this post


Link to post
Share on other sites

Strange enough I personally must be blessed. I haven't seen anything in my email boxes for n-linecomputers.com. Other accounts have been not so lucky. But I've only had a couple phone calls about it. This virus may spread fast but I think it more steathly then recent virues. Many people may be infected and not know it.

Share this post


Link to post
Share on other sites

I agree Nathan..seems to just slip in there....But if anything my wife learned a lesson in computer security(the hard way)...but if if takes affect..it will have been worth the time to clean it up. (The silver lining thing :'( )...Fran...I dislike incredimail to...been asking her for a long time to get rid of it..but to her it was cute..me thinks cute is done :'(

Share this post


Link to post
Share on other sites

They keep coming in the school system. Inoculate It is not catching them despite a new virus signature update this morning. I know of three infected computers here in the school. Thankfully the student computers don't have access to email and they are not on the computers yesterday or today due to final exams.

Share this post


Link to post
Share on other sites

WANTED - DEAD OR ALIVE!SCO offers $250,000 reward for MyDoom Worm authors capture.

JANUARY 27, 2004 ( COMPUTERWORLD ) - The SCO Group Inc. said today it is experiencing a distributed denial-of-service (DDOS) attack apparently related to the Mydoom worm that first appeared yesterday.The company, which is embroiled in legal action against IBM over intellectual property rights related to its ownership of System V Unix code, said it is offering a reward of up to $250,000 "for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus."In a statement released late today, the company said it has been the target of several such DDOS attacks during the past 10 months.But the one now under way "is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organizations around the world," said SCO CEO Darl McBride in the statement. "The perpetrator of this virus is attacking SCO. ..."We do not know the origins or reasons for this attack, although we have our suspicions," said McBride, who did not elaborate on what those suspicions are. "This is criminal activity and it must be stopped."The company also said it is working with U.S. law enforcement authorities, including the U.S. Secret Service and the FBI, to try to determine who might be involved in the attack.The Mydoom worm, also known as Novarg and Mimail.R, is a mass-mailing worm that arrives via e-mail as an attachment with one of several possible file extensions, including .bat, .cmd, .exe, .pif, .scr or .zip. When a user opens the attachment, his computer becomes infected. The worm is apparently designed to attack the company's Web site, www.sco.com, beginning on Feb. 1.Experts have said that the Mydoom worm is spreading faster than last year's Sobig.F, which topped the charts as the most widespread e-mail worm of 2003.Both Network Associates Inc. and Symantec Corp. said that when the attached file is executed, the worm scans the user's system for e-mail addresses and forwards itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared-files folder in an attempt to spread that way.According to Symantec, the worm also installs a "key logger" that can capture anything that is entered, including passwords and credit card numbers, and will start sending requests for data to SCO's Web site. If enough requests are sent, the SCO site could be forced off-line.
ComputerWorld

Share this post


Link to post
Share on other sites

Didn't the AV software companies say that the DoS from the 'virus' was slated for February 1, 2004?I don't get it. Where is the DoS coming from now on SCO?? They think it's the virus, but if it was slated for February 1, 2004 there is no place on the planet where it is February 1 yet ??

Share this post


Link to post
Share on other sites

Here's an eweek's article that confirms that the DoS on SCO wasn't due to start till next February,ANDconfirms what I suppose all of us have felt .. Net has been VERY slow at least to some sites:MyDoom Slows Web Performance

As the fastest-moving e-mail worm continues to haunt inboxes, it is creating some hiccups in response times on the Internet. But the real danger could lie in MyDoom's "time bomb" set to trigger a denial of service attack next month against the SCO Group Inc.'s Web site, experts say.Response times from major Web sites' home pages have fallen by about 50 percent since MyDoom's outbreak began on Monday, according to companies that monitor Web performance. So far, the Internet backbone itself has been largely unaffected, running about 8 percent to 10 percent slower on Tuesday than on an average day, said Lloyd Taylor, vice president of technology at Web performance monitoring vendor Keynote Systems Inc. "The performance degradation we're seeing is due to congestion on corporate firewalls and filters, but the [internet] backbone itself is running fine," Taylor said.Keynote, of San Mateo, Calif., noticed that response times from the 40 large Web sites it monitors slowed down once MyDoom began spreading on Monday. Home page downloads rose to about 4 seconds, compared to the typical response time of between 2 seconds and 3 seconds, Keynote said.Another Web performance monitoring vendor, AlertSite Inc., of Boca Raton, Fla., noticed a similar trend. The company found that U.S. home page response times slowed about 52 percent on Monday compared to a week earlier."These numbers do not indicate that large Web sites are having problems with their Web servers but that the road between customers and the Web sites likely are more congested," said Ken Godskind, AlertSite's vice president of marketing.More alarming than the minor delays are the possible interruptions yet to come, Taylor said. Because MyDoom currently is an e-mail worm that requires a user to open an attachment in order for it to propagate, its overall effect on Internet performance has been limited.But the worm's next planned attack—to harness the multitude of computers it has infected to trigger a DOS attack on SCO's Web site starting on Feb. 1—could hit the Internet's overall performance because of the massive amount of traffic it could generate, Taylor said.
I have actually encountered total timeout on sites I have never had a problem on before. Some are ones I visit several times a day, like NOAA weather site which timed out for me about 5 minutes ago and was fine all day before that.

Share this post


Link to post
Share on other sites

I noticed that too. The only thing I can think is that reporters misunderstood some of this. SCO has been hard to reach but so has a lot of other sites. That isn't DDOS attack that is simply overload cause of the increased mail traffic.I see we cross posted... B)

Share this post


Link to post
Share on other sites
I noticed that too.  The only thing I can think is that reporters misunderstood some of this.  SCO has been hard to reach but so has a lot of other sites.  That isn't DDOS attack that is simply overload cause of the increased mail traffic.I see we cross posted... B)
I think you are right ...folks may be trying to get info out there too fast and I have noticed at the onset many mistakes were made in reporting.B)

Share this post


Link to post
Share on other sites

I've heard where a number of businesses and local school districts have been crippled because of this virus. One company is taking forceful action -- deleting each & every zip file in any incoming/outgoing mail. The company where I work shut down all inbound/outbound mail yesterday evening until they received the updated virus signatures to push out to all the PC and servers.

Share this post


Link to post
Share on other sites

I hear ya Corrine ... it is a bad one ... I am sure we will continue to hear about this for some time to come ... more so than even Sobig.This is the worst computer virus to date.It also like Bugbear is targeting businesses. And with the way they have chosen to employ social engineering in this one ... many people were caught unawares on it.As many techs have been doing, I have been harping that OE is not an email client that should ever be used on company computers, but OE is so easy they would not listen.I truly hope if nothing else, and before another of this type of worm/virus/trojan or whatever comes out, they finally listen.It is so angering to see some companies and organizations needing to shutting down operations because of some viral terrorist. B)

Share this post


Link to post
Share on other sites

We use Lotus Notes (Domino) not OE. However, it is really easy to right-click/launch attachments. No matter how many times we tell people not to, they just can't seem to overcome their curiosity. The spoofed sender with this worm doesn't help. One person I was helping today said he thought it was an important document from a client he has been working with. So he detached it to his hard drive. Problem is, files from clients aren't named doc.zip but would have a case number or a file name and the text in the message wouldn't be gobble-de-gook! When will they learn?Regarding OE, if I can't convince my friends to switch to Mozilla at home, I at least try to convince them to turn off the preview pane in OE.

Share this post


Link to post
Share on other sites

Yes, that social engineering part is the hardest to overcome.I have one client that allowed me to turn off the preview pane, but said it was too inconvenient to turn the Security Tab click box on and off as needed for blocking attachments from being downloaded that could potentially be a virus (and it is, he's right! Microsoft should have built in a button for the tool bar for that!), and he said, besides, the virus didn't come from his business email server and he can trust emails that come through the company's email server. :thumbsup:

Share this post


Link to post
Share on other sites
We use Lotus Notes (Domino) not OE.  However, it is really easy to right-click/launch attachments.  No matter how many times we tell people not to, they just can't seem to overcome their curiosity.  The spoofed sender with this worm doesn't help.  One person I was helping today said he thought it was an important document from a client he has been working with.  So he detached it to his hard drive.  Problem is, files from clients aren't named doc.zip but would have a case number or a file name and the text in the message wouldn't be gobble-de-gook!  When will they learn?Regarding OE, if I can't convince my friends to switch to Mozilla at home, I at least try to convince them to turn off the preview pane in OE.
Honestly, I don't belive people when they say stuff like that. I bet ya that guy knew his procedures and knew it wasn't a client's file but curosity got the best of him. They NEVER admit to doing wrong. Who hasn't? I admit I've opened up some attachments that better judgement should tell you not to do. I've been lucky and I often check it with things like pocketknife peek before I do.

Share this post


Link to post
Share on other sites
he can trust emails that come through the company's email server.
Sure he can trust those company emails! :thumbsup: I hope he remembers to hit the Security Tab click box now since reports are that businesses have been targeted particularly hard with this one. (Sure, they're getting the most bang for their buck!)

Share this post


Link to post
Share on other sites
Yes, that social engineering part is the hardest to overcome.I have one client that allowed me to turn off the preview pane, but said it was too inconvenient to turn the Security Tab click box on and off as needed for blocking attachments from being downloaded that could potentially be a virus (and it is, he's right! Microsoft should have built in a button for the tool bar for that!), and he said, besides, the virus didn't come from his business email server and he can trust emails that come through the company's email server. :thumbsup:
You can't always trust the email server either. My wife place of work, a small community college, has McAfee based scanners on the servers but the dang virus got in during that 1.5 or so hours that the virus was raw in the wild an unknown. They also run Groupwise which doesn't launch virueses on preview like OE does but they still got badly infected.

Share this post


Link to post
Share on other sites

Exactly Nathan! That's what I tell all my clients ... but some of them 'know' best, if you know what I mean. LOL!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...