|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 01/27/2004 7:01 AM |
|
| What is it?
There is a new virus/worm threat spreading rapidly called by McAfee W32.mydoom@MM. This is an Email worm that spreads using a .ZIP file attachment (which most filters will allow through). The email will say that: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment". It has an attached ZIP file that contains the worm. If you unzip the file it will install itself to be automatically run the next time you reboot or if you later click on the icon. The executable file has an icon that disguises it as a text file so that you might try to open it thinking it's a document. The program hides itself as document.scr, installs in your system directory as taskmon.exe, installs in your KaZaa shared directory (as activation_crk.scr) if you have KaZaa installed, and creates a dll file in your windows\system directory called shimgapi.dll.
Other than the bit of social engineering where it uses a Zip file to spread rather than a direct executable it's similar to many other mass mailing email worms we've seen.
What should you do?
As usual - if you get emails from people with unexpected attachments - don't open them. If you are infected McAfee has updated Superdat's that will detect the virus and attempt to clean it. At this point there is no "cure" program, but we expect one to be released soon. Symantec will probably have updates available quickly too - this outbreak is spreading quickly. This is a ZIP ARCHIVE FILE and though it won't autoexecute, double clicking it may extract the files automatically, opening you up for later infection.
Additional Resources
McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983 (New superdat and dat files available to detect it)
Symantec: http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.html
Trend Micro calls this one MiMail.R: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R (Online scanner now detects it)
Computer Associates calls it shimg: http://www3.ca.com/virusinfo/virus.aspx?ID=38102 (no new signatures available)
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St. Ste B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
Cell number: 585-509-0284
|
|
|
|
|
Lee Drake
Posts:238
|
| 01/27/2004 7:02 AM |
|
| All the major virus vendors have released updates to detect this virus. You should download new updates this morning manually if you haven't already.
The virus installs a backdoor trojan - a program that listens for commands from a remote control program on the internet and executes those commands locally on your machine. It will launch a denial of service attack on February 1st. It allows the remote control person to take over your machine and run or install anything they wish. It also allows them to direct the machine to download and run any files they wish.
The virus appears with multiple different file names - both for the internal file inside the ZIP and the external Zip file. There are multiple messages that might appear in the body and subject header - all short one sentence messages.
In short - if over the next few days you get a zip file and you're not expecting it - it's probably a good idea to just delete the message and write the person back asking if they really sent you something (assuming the "from" address is even someone you know). |
|
|
|
|
Lee Drake
Posts:238
|
| 01/28/2004 8:51 PM |
|
| What is it
A new variant of Mydoom has appeared. The new variant (labeled Mydoom.b) spreads in much the same way as mydoom.a (it's an executable inside a zip file which a user must open and run manually to execute). This version is more dangerous though because it adds a "redirect" to your host file on your computer. What this "redirect" means is that when you try to surf to an internet virus site to update your virus programs the site is redirected by your computer to look like it is at 0.0.0.0 (a non-existent address). Thus accessing www.symantec.com or www.mcafee.com to update your signatures becomes more difficult.
In addition this new version targets Microsoft for a denial of service attack along with SCO. It also has a wider variety of subject messages, file names, and infection sites.
What should you do
All updated virus signatures should detect this new variant. Update your signatures and be careful of unexpected files with .ZIP attachments. Do not blindly double click on either the attachment or it's contents if you did open the attachment.
If you don't execute or extract files inside the ZIP files you'll be ok. If you do become infected though you'll need to take extra steps to get rid of mydoom.b since it blocks access to virus websites. You must remove the entries that the worm places in your hosts file so that you can update your virus signatures or download a cleaner tool. To do this open notepad, choose File/Open then change the file type from .TXT to ALL FILES. On Windows NT/2000/XP systems you can find hosts in the C:\Windows\system32\drivers\etc\hosts. (there is no extension on the file). You can find the file (wherever it is) using the search function of windows explorer. Open windows explorer, choose search, search all drives for the file HOSTS. Open the file with Notepad. Remove ALL entries with 0.0.0.0 as their entry. Save the file back over the hosts. file in the directory you found it with the same name. You should now have access to Microsoft, Symantec, etc. If you've blocked websites using spybot you may need to re-run the website blocking tool in spybot to update your hosts file again after your system is clean.
References:
CRN: http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=47534
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.b@mm.html
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|