Jump to content
Sign in to follow this  
nlinecomputers

Viruses Worms Trojans ... Oh, my!

Recommended Posts

ibe98765
Regarding OE, if I can't convince my friends to switch to Mozilla at home, I at least try to convince them to turn off the preview pane in OE.
You don't have to turn off the preview pane. All you have to do is run OE/Outlook in the RESTRICTED security zone.

Share this post


Link to post
Share on other sites
ibe98765

From http://channels.lockergnome.com/it/backiss.../20040127.phtml

ALERT: A Virus By Any Other Name...    Neven writes:I'm not sure if this one will be persistent as Sobig.F, but we detected a virus outbreak about three hours ago that is coming in at a rate of about 30 to 50 copies per hour which is just about Sobig.F's initial frequency... Each message is 31-34k (attachment alone is 23k). If we're correct, McAfee named this one W32/Mydoom@MM already and categorized it as "high outbreak risk."Since this one looks like a pain in the... (something) we created a filter for xTerminator users to delete this pest from POP3 server and save bandwidth (time). The filter can be downloaded here - http://www.artplus.hr/xterminator.htm.If it turns out to be a big one again, I'm sure you'll know what to do with this announcement!Still, maybe it's just a small "puff" like that "hi" outbreak few days ago...We'll see.---------------------------------------------------------------------And Mike Healen from Spyware Info <http://www.spywareinfo.com> writes:There is a widespread outbreak of the WORM_MIMAIL.R e-mail worm. This worm is spoofing the sender's e-mail address. If you receive one of these e-mails, the person in the FROM: address is NOT the person who sent it to you.If you are running an e-mail server with anti-virus software that bounces virus infected e-mails, FOR GOD'S SAKE STOP BOUNCING THEM! You are participating in a denial of service attack by bouncing viruses at people who are not infected. You could even infect them yourself! STOP BOUNCING THEM!If you receive an e-mail like the one described below, DON'T OPEN IT! Delete it immediately, update your anti-virus program and scan. If you don't have an anti-virus, get one.Nod32 $39.00 (The best AV available [according to SWI])AVG Free (Good enough for the price)Description From Trendmicro:A new variant of the MIMAIL worm has been found in the wild. As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a yellow alert to control the spread of WORM_MIMAIL.R.Also known as W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mmThis mass-mailing worm selects from a list of e-mail subjects, message bodies, and attachment file names. It can also propagate using the Kazaa peer-to-peer file sharing network.It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.It runs on Windows 98, ME, NT, 2000 and XP.It sends e-mail with the following details:Subject: (any of the following)Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Message Body: (any of the following)The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Mail transaction failed. Partial message is available. test Attachment: <Random name>.zipPost this on every message board you can find. Get the word out. If you have a friend or family member who does not understand how to operate an anti-virus, please check that they are updated and protected. If you know someone running anti-virus on an e-mail server, please tell them to turn off the bounce feature.

Share this post


Link to post
Share on other sites
Guitar Man
Corrine Posted on Jan 27 2004, 09:15 PM--------------------------------------------------------------------------------QUOTE (LilBambi @ Jan 27 2004, 09:10 PM) he can trust emails that come through the company's email server.  Sure he can trust those company emails!
Somebody obviously trusted our office LAN email client, and infected some terminals yesterday..."Oh! I got an email from Mr. Smith in the office across town! He says HI ! I'll open it..." BOOM! :whistling:Ignorance will kill you every time...

Share this post


Link to post
Share on other sites
Jeber

Just to add to the above notice from Lockergnome...yesterday I received an email with a blank subject line, but had the notice "The message contains Unicode characters and has been sent as a binary attachment." The sender was unknown to me, so it got deleted promptly, and was never opened. So evidently the subject line is still changing. But this one has all the signs of becoming a major problem.

Share this post


Link to post
Share on other sites
LilBambi

Yes, it continues to select new random items for the subject and the attachment name as well as some of the body text too.Diligence is definitely the order of the day in Windows these days ... and keeping those AV definititons up to date! :'(

Share this post


Link to post
Share on other sites
pc-tecky

Well, I know I didn't send them out, but I have two emails that have come back to me. :P Should I click on them? (:o NO!!!!!!! Well, ok, I wasn't going to. :o :o) Now, how can I tell if this nuisance is even on my system (because I have so many things open)? What's SMTP again, well it's part of IIS? :whistling:Strange how it all works. Now I want to know what let their computer get compromised??? A nice little email will be going out shortly to everybody. Oh wait, that'll exacerbate the problem. :'( Is this a lose-lose situation? What should I do?

Share this post


Link to post
Share on other sites
Jeber

As long as your warning emails don't have attachments, I wouldn't think they'd be confused with the bogus ones. And you are sending them to people who know you.

Share this post


Link to post
Share on other sites
LilBambi

I would suggest just deleting them pc-tecky ... the worm spoofs the email sender, so your server would receive messages about these messages, even though you didn't send them.If you have the latest updates on AV defs and have done a full system scan and the system came up clean, then you are fine.No point in adding to the problem at this point. Everyone is getting these. ;)

Share this post


Link to post
Share on other sites
LilBambi
As long as your warning emails don't have attachments,  I wouldn't think they'd be confused with the bogus ones.  And you are sending them to people who know you.
However, Jeber's right...it wouldn't hurt anything to send it out ... as long as you don't send any attachments as Jeber was saying.

Share this post


Link to post
Share on other sites
pc-tecky

They'll be getting a direct link to AVG if they haven't updated their viri defs for their current version. ;)

Share this post


Link to post
Share on other sites
ibe98765

I saw a report today saying that when a virus laden email is received by a user, some (all?) AV programs have a setting to notify the sender that they are sending a virus email. This is making the problem much worse. The suggestion was to turn off this auto-notification setting.

Share this post


Link to post
Share on other sites
nlinecomputers

I don't know of any client based virus software that does that but most server based ones do. This is one more reason we need updated SMTP protocals. SPF, encryption, authenticated SMTP, something.... As it is now any virus can have its own built in SMTP server and just fire away. Some kind of restricted SMTP would stop the spoofing and 95% of the current viruses would be stopped. And even if a virus could hook into your email program and logon legally as least that would provide tracking so that you could contact Joe Six Pack and get him either cleaned up or off the net.

Share this post


Link to post
Share on other sites
Guitar Man
LilBambi Posted on Jan 28 2004, 01:00 PM-------------------------------------------------------------------------------- I would suggest just deleting them pc-tecky ... the worm spoofs the email sender, so your server would receive messages about these messages, even though you didn't send them.If you have the latest updates on AV defs and have done a full system scan and the system came up clean, then you are fine.No point in adding to the problem at this point. Everyone is getting these.
That's it, right there. At least for those "in the know"... :whistling: As for the rest, well...It will be a never ending education.
nlinecomputers Posted on Jan 28 2004, 05:05 PM-------------------------------------------------------------------------------- Some kind of restricted SMTP would stop the spoofing and 95% of the current viruses would be stopped. And even if a virus could hook into your email program and logon legally as least that would provide tracking so that you could contact Joe Six Pack and get him either cleaned up or off the net.
In a perfect world, Nathan... :blink: But as we know all too well...

Share this post


Link to post
Share on other sites
nlinecomputers
In a perfect world, Nathan...  But as we know all too well...
Well some kind of change WILL occur. SMTP is just to badly mishandled and the contiuned problems are leading everyone to find a solution. Three of them are being worked on and somekind of combination of all three is going to be put into place within two years, if not sooner, and I would expect within 5 years SMTP as we know it will be totally dead.

Share this post


Link to post
Share on other sites
Guitar Man

Well...all I can say is if that is "in process", then it's encouraging for the long term. But something will hopefully be done this year to end this scourge of "kiddie script" crap. Spam is one thing I can deal with daily, even though I get next to nothing. The REAL issue is securing our systems. NOW.I can only assume that SP2 will address a good chunk of it.Good night.

Share this post


Link to post
Share on other sites
ibe98765

Oh, joy... :whistling: Wonder if the emails will be color-coded? :blink:

U.S. unveils cyber warning systemHomeland Security offers free e-mail alertsThe Associated PressUpdated: 8:05 p.m. ET Jan. 28, 2004WASHINGTONThe U.S. government’s ambitious new cyber alert system transmitted its first Internet warning on its opening day of business Wednesday, cautioning computer users about a fast-spreading infection that causes victims to launch an electronic attack against Microsoft Corp.The Homeland Security Department said the Web site where Americans can sign up for the free cyber alerts and computer advice, http://www.us-cert.gov, received more than 1 million visitors Wednesday, up from a few thousand visitors one day earlier.The new National Cyber Alert System will send urgent e-mails about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves.The program, announced Wednesday, represents the government’s effort to develop a trusted warning system that can help home users and technology experts. The announcement comes 11 months after such an alert system was described in the National Strategy to Secure Cyberspace, a series of proposals endorsed by the Bush administration and the technology industry to improve online security.The government christened the new warning system by transmitting its first alert, about a newly discovered version of a fast-spreading virus known as “Mydoom†or “Novarg.â€The cleverly designed virus, spread by e-mail, poses as an authentic error message and entices users to click on it to infect their computers. Infected machines were programmed ultimately to launch an automated attack against Microsoft’s Web site.“There is a clear need for this kind of system to be developed,†said Amit Yoran, the Bush administration’s cyber security chief. “Receiving information from the Department of Homeland Security gives people a certain level of confidence.†(Really? - IBE)The alerts will function independently from the Homeland Security Department’s well known color-coded system, which reflects the national threat level.Will hackers mimic the alerts?Sen. Charles Schumer, D-N.Y., quickly criticized the alert system, describing it as inadequate because it doesn’t require companies that suffer major virus outbreaks to notify the government. He also predicted that hackers will mimic the e-mail alerts transmitted by Homeland Security to trick computer users. “I would bet money that will happen,†Schumer said.Yoran said alerts will be digitally signed (how many people know how to check a digital signature? Rasie your hands now. - IBE) so computer users can determine the e-mails aren’t forged; each alert also will be published on the Web site for the U.S. Computer Emergency Readiness Team.Previous government efforts to distribute warnings about Internet attacks were sharply criticized by congressional investigators, who complained in July 2002 that those earlier warnings were mostly issued after Internet attacks were long under way. They blamed the government’s inability to analyze imminent Internet attacks, fears about raising false alarms and staff shortages.Wednesday’s inaugural alert came roughly five hours after researchers discovered the latest version of the virus spreading on the Internet. Yoran acknowledged the difficult balance between providing warnings quickly and making sure they’re accurate.“I’m sure we’ll take some kicks in the shins,†he said.Yoran indicated the government will focus on distributing information as quickly as possible, correcting any wrong or outdated information as U.S. computer investigators learn new details. “In the absence of information, the operator community is going to rely on whatever information is out there,†he said. “It’s better to have our voice heard rather than letting people operate in the dark.â€The new alert system also sets up potentially serious conflicts with leading software companies, including Microsoft Corp., which discourage any public disclosures about new security flaws in their products until engineers can study the problems and offer software patches for their customers.Yoran said the government will aggressively warn consumers about vulnerabilities, in some cases revealing threats “above and beyond what specific commercial vendors may not wish to disclose.â€â€œIf the disclosure of certain information is deemed in the public interest, we’ll move forward,†he said.

Share this post


Link to post
Share on other sites
LilBambi

Still getting several of the MyDoom emails per day on one account.My guess is they are using not only computer's email addresses that are harvested once infected, but that they initially used an email harvester bot to get their initial list from website addresses.

Share this post


Link to post
Share on other sites
nlinecomputers

That or they had a known list to begin with. The theory is that this like Sobig Mimail is a virus written by or for spammers who would obviously have a long list of targets.

Share this post


Link to post
Share on other sites
Guitar Man
“Receiving information from the Department of Homeland Security gives people a certain level of confidence.â€
Yeah...Are we going to see the equivalent of a download applet stating "Always trust content from the U.S. Government", with a check box next to it ? B) B) :teehee: This could give a whole new meaning to the term "Pandora's Box"... B)

Share this post


Link to post
Share on other sites
Jeber

It seems a new rumor regarding Mydoom is starting to circulate: could Mydoom have been created by a SCO employee? Here's a translation page to read...Click hereIt's not been translated very well, but I think the gist of it shines through.Wild speculation, but what if...

Share this post


Link to post
Share on other sites
Peachy

So, this MyDoom.B variant is supposed to DDOS Microsoft. If it's an inside job then there is something serious here because both targets have set a bounty on the virii authors. It could be a case of redirection, but I highly doubt that someone at either company would risk attacking their own employers web sites to frame the Linux community.

Share this post


Link to post
Share on other sites
LilBambi

Yeah, definitely wouldn't leave it to employees to do that. ;)I do think both the first MyDoom/Novarg and MyDoom.B were definitely intended to cast some sort of bad PR for the Linux/Open Source community as a smoke screen. No one in the Linux/Open Source community would be foolish enough to pull a stunt like that ... after all the work put into this by the developers ... I don't think that could be true....despite McBrides inuendos.It will be interesting to see how it all pans out. I hope they catch them.Personally, IMHO, I think there is a very good chance that it is more a "crime world" related thing than anything else.

Share this post


Link to post
Share on other sites
nlinecomputers

Personally I think it is just spammers. Spammers are hiring geeks to write viruses for them. Maybe the geek got bored and did this one on his own. Is there any reports of Spam being launched from MyDoom? I know that MiMail was being used to spread some viagra ads and was SoBig(hence the name...) but I havn't heard of an spam ad being directly linked to MyDoom.

Share this post


Link to post
Share on other sites
LilBambi

The new MyDoom variant is out!Doomjuice.A/MyDoom.C -- searches for computers already infected with MyDoom.A and MyDoom.B to add it's more persistent version and NO kill date!http://www.techweb.com/wire/story/TWB20040209S0008If you use Norton Antivirus, don't rely on the LiveUpdate ... it will not be updated with LiveUpdate until the 11th ... instead get the Intelligent Update from their site listed below:http://www.symantec.com/avcenter/venc/data....doomjuice.htmlIf you are using AVG .. they already have an update available through their Update Manager .. I would suggest not waiting till your normal scheduled update time, it is available now! Got mine already.

Share this post


Link to post
Share on other sites
teacher

Thanks for the heads up. I just ran an AVG update on hubby's yesterday so I would not have thought to look again today but it was there. :devil:--Julia :devil:

Share this post


Link to post
Share on other sites
LilBambi

Julia,:thumbsup:Looks like the chess pieces were in place (Mydoom.A and Mydoom.B ) and now the beginning of check mate (Doomjuice.A/Mydoom.C). :devil:

Share this post


Link to post
Share on other sites
nlinecomputers

oh joy...Thanks for the heads up. I've haven't seen too much of A and none of B. I hate virues but on the other hand it does pay the bills....

Share this post


Link to post
Share on other sites
LilBambi

W32.Welchia.B.Worm moved from risk Category 2 up to risk Category 3 according to the Symantec AVCenter:http://www.symantec.com/avcenter/venc/data...hia.b.worm.htmlAlso, there are two new variants of previous viral vulnerabilities on the list that are already at Category 2 risk level:W32.Welchia.C.Worm - Discovered today - already Category 2.http://www.symantec.com/avcenter/venc/data...hia.c.worm.htmlInteresting that the Welchia.B gets upgraded the same day that Welchia.C is discovered, huh?In addition, W32.HLLW.Deadhat.B - a new one from a few days ago, has been updated, it is Category 2:http://www.symantec.com/avcenter/venc/data....deadhat.b.htmlOdd thing is they try to remove MyDoom from the computers while spreading themselves.MyDoom.A is still category 4:http://www.symantec.com/avcenter/venc/data...ydoom.a@mm.html

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...