Jump to content


Viruses Worms Trojans ... Oh, my!


  • Please log in to reply
153 replies to this topic

#26 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 26 January 2004 - 09:30 PM

Yup, got this one in the inbox about two hours ago.  Wiped it off the face of my hard drive!!!Got it with the subject as "Hello" and the attachment as "doc.zip".What scares me is that AVG Free Edition detected this virus *before* Norton did.  And even after updated *both* programs, Norton could only detect the virus after the compressed file was extracted fromt the ZIP file.  AVG caught it without having to decompress it.What scares me even more is that my server-side AV scanner totally missed this!Fran, got your newsletter -- right on time ;)

#27 OFFLINE   teacher

teacher

    Acute Mac

  • Honorary Moderators
  • 13,854 posts

Posted 26 January 2004 - 09:32 PM

I got one of those "Hi" ones at school yesterday.  Saw the exe extension and immediately deleted it without opening.  I then put the virus scanner on that folder specfically and it came up clean.  :D  That sure gave me a lot of faith in the school virus protection. :P  Another teacher had his computer trashed the same day.   Guess I had better see what I can download off the internet and scan the computer again just to be safe.   ;)   Mine was not a zip but an exe.  By the way, I had never heard of the company it came from - some school poetry contest site in Nevada.
Teacher
Beach Bum Extraordinaire

#28 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 26 January 2004 - 09:51 PM

epp_b, on Jan 26 2004, 08:25 PM, said:

Fran, got your newsletter -- right on time ;)
epp_b,Excellent! Glad to hear it! :thumbsup:Up to the minute, I have now received FIVE 'virus' emails since this afternoon! -- several variants (I am so happy I use Thunderbird that won't execute stuff!)Here is a run down, in addition to the one I listed above:Email 2:Subject: Server ReportAttachment: Doc.zipBody:The message contains Unicode characters and has been sent as a binary attachment.---Email 3:Subject: (no subject, blank)Attachment: Doc.zipBody:(this one was in a foreign language, I have no idea)--Email 4:Subject: HelloAttachment: message.pifBody:Mail transaction failed. Partial message is available.--Email 5:Subject: WqwqekmeAttachment: body.pifBody:The message contains Unicode characters and has been sent as a binary attachment.---Seems like whoever is doing this is trying to shotgun the email system.Please be very careful if you are using Windows, particularly if you are using  Outlook Express.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#29 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 26 January 2004 - 09:53 PM

OK, make that SEVEN! As I hit send on the last post, two more came in.Email 6:Subject: HelloAttachment: document.zipBody:The message contains Unicode characters and has been sent as a binary attachment.--Email 7:Subject: StatusAttachment: doc.pifBody:The message contains Unicode characters and has been sent as a binary attachment.---This is very, very big!
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#30 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 26 January 2004 - 10:01 PM

LilBambi, on Jan 26 2004, 08:46 PM, said:

...(I am so happy I use Thunderbird that won't execute stuff!)
Same with Eudora  :)

#31 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 26 January 2004 - 10:03 PM

Yep! :)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#32 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 26 January 2004 - 10:10 PM

Lavasoft even sent out an alert on this one with a link to their forum page on it:http://www.lavasofts...opic=18480&st=0
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#33 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 26 January 2004 - 10:21 PM

My wife's work place is apparently, infected.  I've gotten several (filtered) messages on two news groups I post on.  Man your battle stations.  Man your battle stations!
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#34 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 26 January 2004 - 10:29 PM

This virus apprantly is designed to do a  DDOS attack on SCO!

Quote

New virus infects PCs, whacks SCOBy Robert LemosStaff Writer, CNET News.comhttp://news.com.com/...49-5147605.htmlStory last modified January 26, 2004, 5:58 PM PSTA mass-mailing virus quickly spread through the Internet on Monday, compromising computers so that they attack the SCO Group's Web server with a flood of data on Feb. 1, according to antivirus companies.The virus--known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies--arrives in an in-box with one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment." "It's huge," said Vincent Gullotto, vice president of security software maker Network Associates' antivirus emergency response team. "We have it as a high-risk outbreak."In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company has already shut down its e-mail gateway to stop the virus.Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting Feb. 1, a virus researcher said on the condition of anonymity.The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.The company's Web site was slow to load on Monday afternoon, a SCO spokesperson acknowledged, but the site was still accessible from the World Wide Web.SCO's Web site was taken offline by denial-of-service attacks a handful of times in the last year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathizers for at least one of the attacks.Antivirus companies were scrambling on Monday afternoon to learn more about the virus, which started spreading at about noon PST. The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP."A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.  The virus installs a Windows program that opens up a "back door" in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."Early data indicated an epidemic several times the size of the Sobig.F virus, which caused widespread infections last summer, said Scott Petry, a vice president of engineering at e-mail service provider Postini."At its current run rate, we will trap almost 8 million in a day," Petry said. The company quarantined only 1,400 copies of Sobig.F in its first day and 3.5 million copies of the virus during that epidemic's peak 24-hour period.Mail systems that remove executable files from e-mails can stop the program from spreading.

Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#35 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 11:59 AM

Sure, create a 'virus' have it attack SCO and make it look like the Linux community is behind it. Figures they'd pull a stunt like that as a smoke screen.I don't believe a word of it.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#36 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 12:04 PM

MyDoom virus hammering Windows systems(thanks for the link jodef! :'( thought we should have it here too!)

Quote

SECOND UPDATE A new Windows virus, called MyDoom (officially, W32/Mydoom@MM) and circulating in the form of a 32K Zip file, began hitting corporate and private e-mail boxes Monday at about 1 p.m. Pacific Standard Time. It masquerades as a Kazaa P2P component and tries to embed itself in the Kazaa shared folder for music and other file-swapping.

Quote

It was quickly spreading Monday through email and the Kazaa network, the latter of which averages anywhere from 2 million to 5 million users at any given time.F-Secure, an Internet security software maker based in Finland, came out with a detailed report later Monday afternoon in which it said "the worm opens Notepad with garbage data in it. It also attacks SCO.com with a DDoS-attack."
KaZaA users, beware!!
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#37 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 12:29 PM

W32.Novarg.A@mm (updated 1/27/2004)The technical details are particularly helpful.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#38 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 27 January 2004 - 01:38 PM

Quote

New e-mail worm breaks infection records.E-mail carrying the Mydoom virus now accounts for one in every 12 messagesA new computer virus that spreads using e-mail messages is breaking records for new infections set by the last major e-mail worm, Sobig.F, according to leading antivirus software companies and e-mail security firms.Infected e-mail messages carrying the Mydoom virus, also known as "Shimgapi" and "Novarg," have been intercepted from over 142 countries and now account for one in every 12 e-mail messages, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Ltd.
Full Text at InfoWorld
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#39 OFFLINE   Arena2045

Arena2045

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,748 posts

Posted 27 January 2004 - 01:39 PM

Since this morning I have received a total of 86 BLOCKED emails containing viruses.  Most of them being the MyDoom virus.  Thankfully my web/email host has strong virus protection that scans all incoming and out going email and sends a message saying what was blocked and what virus it had...  Nice being on my Mac, safe and secure from this latest attack. Though I feel the effects like everyone else, full mail box, and slow connections.

Edited by Arena2045, 27 January 2004 - 01:41 PM.


#40 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 01:51 PM

That's amazing Nathan!Thankfully our ISP also updated their AV software on their mail server and I haven't seen any more of them. :thumbsup:Received 8 in total before the AV software on the mail server was updated.One of the 8 was forwarded to me from a client saying they thought this email was one of the virus emails I mentioned in the newsletter alert and basically wanted me to confirm this for them.   :'(
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#41 OFFLINE   BarryB

BarryB

    Prince Distro

  • Forum Moderators
  • 2,928 posts

Posted 27 January 2004 - 02:02 PM

Yes..my wife's computer got hit by MyDoom this am, spent 2 hours cleaning up the mess...apparently had e-mail client to auto open..(and forgot about AV updates..and somehow got changed from auto to manual)what a pain!...Took incredimail off in gave her thunderbird...but it could be worse..out of 12 home computers only one infected..oh what a morning :'(
Barry

Right when you think you know the answers..somebody goes and changes the questions
Registered Linux user #303103

#42 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 02:12 PM

Good move on changing wife's computer from Incredimail (GAG!) to Thunderbird.One of my sisters uses Incredimail -- love my sister, but her choice of email client! LOL! Gawd I hated receiving those emails when I used to use OE! Made me really dislike Incredimail.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#43 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 27 January 2004 - 02:15 PM

Strange enough I personally must be blessed. I haven't seen anything in my email boxes for n-linecomputers.com.  Other accounts have been not so lucky. But I've only had a couple phone calls about it.  This virus may spread fast but I think it more steathly then recent virues.  Many people may be infected and not know it.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#44 OFFLINE   BarryB

BarryB

    Prince Distro

  • Forum Moderators
  • 2,928 posts

Posted 27 January 2004 - 02:33 PM

I agree Nathan..seems to just slip in there....But if anything my wife learned a lesson in computer security(the hard way)...but if if takes affect..it will have been worth the time to clean it up.  (The silver lining thing :'( )...Fran...I dislike incredimail to...been asking her for a long time to get rid of it..but to her it was cute..me thinks cute is done :'(
Barry

Right when you think you know the answers..somebody goes and changes the questions
Registered Linux user #303103

#45 OFFLINE   teacher

teacher

    Acute Mac

  • Honorary Moderators
  • 13,854 posts

Posted 27 January 2004 - 02:41 PM

They keep coming in the school system.  Inoculate It is not catching them despite a new virus signature update this morning.  I know of three infected computers here in the school.  Thankfully the student computers don't have access to email and they are not on the computers yesterday or today due to final exams.
Teacher
Beach Bum Extraordinaire

#46 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 27 January 2004 - 06:55 PM

WANTED - DEAD OR ALIVE!SCO offers $250,000 reward for MyDoom Worm authors capture.

Quote

JANUARY 27, 2004 ( COMPUTERWORLD ) - The SCO Group Inc. said today it is experiencing a distributed denial-of-service (DDOS) attack apparently related to the Mydoom worm that first appeared yesterday.The company, which is embroiled in legal action against IBM over intellectual property rights related to its ownership of System V Unix code, said it is offering a reward of up to $250,000 "for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus."In a statement released late today, the company said it has been the target of several such DDOS attacks during the past 10 months.But the one now under way "is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organizations around the world," said SCO CEO Darl McBride in the statement. "The perpetrator of this virus is attacking SCO. ..."We do not know the origins or reasons for this attack, although we have our suspicions," said McBride, who did not elaborate on what those suspicions are. "This is criminal activity and it must be stopped."The company also said it is working with U.S. law enforcement authorities, including the U.S. Secret Service and the FBI, to try to determine who might be involved in the attack.The Mydoom worm, also known as Novarg and Mimail.R, is a mass-mailing worm that arrives via e-mail as an attachment with one of several possible file extensions, including .bat, .cmd, .exe, .pif, .scr or .zip. When a user opens the attachment, his computer becomes infected. The worm is apparently designed to attack the company's Web site, www.sco.com, beginning on Feb. 1.Experts have said that the Mydoom worm is spreading faster than last year's Sobig.F, which topped the charts as the most widespread e-mail worm of 2003.Both Network Associates Inc. and Symantec Corp. said that when the attached file is executed, the worm scans the user's system for e-mail addresses and forwards itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared-files folder in an attempt to spread that way.According to Symantec, the worm also installs a "key logger" that can capture anything that is entered, including passwords and credit card numbers, and will start sending requests for data to SCO's Web site. If enough requests are sent, the SCO site could be forced off-line.
ComputerWorld
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#47 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 07:04 PM

Didn't the AV software companies say that the DoS from the 'virus' was slated for February 1, 2004?I don't get it. Where is the DoS coming from now on SCO?? They think it's the virus, but if it was slated for February 1, 2004 there is no place on the planet where it is February 1 yet ??
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#48 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 07:17 PM

Here's an eweek's article that confirms that the DoS on SCO wasn't due to start till next February,ANDconfirms what I suppose all of us have felt .. Net has been VERY slow at least to some sites:MyDoom Slows Web Performance

Quote

As the fastest-moving e-mail worm continues to haunt inboxes, it is creating some hiccups in response times on the Internet. But the real danger could lie in MyDoom's "time bomb" set to trigger a denial of service attack next month against the SCO Group Inc.'s Web site, experts say.Response times from major Web sites' home pages have fallen by about 50 percent since MyDoom's outbreak began on Monday, according to companies that monitor Web performance. So far, the Internet backbone itself has been largely unaffected, running about 8 percent to 10 percent slower on Tuesday than on an average day, said Lloyd Taylor, vice president of technology at Web performance monitoring vendor Keynote Systems Inc. "The performance degradation we're seeing is due to congestion on corporate firewalls and filters, but the [Internet] backbone itself is running fine," Taylor said.Keynote, of San Mateo, Calif., noticed that response times from the 40 large Web sites it monitors slowed down once MyDoom began spreading on Monday. Home page downloads rose to about 4 seconds, compared to the typical response time of between 2 seconds and 3 seconds, Keynote said.Another Web performance monitoring vendor, AlertSite Inc., of Boca Raton, Fla., noticed a similar trend. The company found that U.S. home page response times slowed about 52 percent on Monday compared to a week earlier."These numbers do not indicate that large Web sites are having problems with their Web servers but that the road between customers and the Web sites likely are more congested," said Ken Godskind, AlertSite's vice president of marketing.More alarming than the minor delays are the possible interruptions yet to come, Taylor said. Because MyDoom currently is an e-mail worm that requires a user to open an attachment in order for it to propagate, its overall effect on Internet performance has been limited.But the worm's next planned attack—to harness the multitude of computers it has infected to trigger a DOS attack on SCO's Web site starting on Feb. 1—could hit the Internet's overall performance because of the massive amount of traffic it could generate, Taylor said.
I have actually encountered total timeout on sites I have never had a problem on before.  Some are ones I visit several times a day, like NOAA weather site which timed out for me about 5 minutes ago and was fine all day before that.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#49 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 27 January 2004 - 07:21 PM

I noticed that too.  The only thing I can think is that reporters misunderstood some of this.  SCO has been hard to reach but so has a lot of other sites.  That isn't DDOS attack that is simply overload cause of the increased mail traffic.I see we cross posted... B)
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#50 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,553 posts

Posted 27 January 2004 - 07:21 PM

Another informative article on this new one:"Mydoom" Computer Infections Still Climbing
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users