# EMERGENCY ALERT: Mimail.R, Novarg.A, Shimg, [email protected], W32/[email protected], Win32.MMa



## Flrman1 (Jul 26, 2002)

EMERGENCY ALERT: Many reports of W32/MyDoom-A worm

*If you have been infected with this worm, Click Here to obtain the removal tool from Symantec.*

*Save the file to a convenient location, such as your downloads folder or the Windows desktop, or removable media known to be uninfected. 
Close all the running programs before running the tool. 
If you are on a network, or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. 
If you are running Windows Me or XP, then disable System Restore.*

"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

*What You Should Know About the Mydoom Worm Variants: Mydoom.A, Mydoom.B, and Mydoom.C (a.k.a. Doomjuice)
Published: January 27, 2004 | Updated: February 10, 2004 - 1:30 P.M. Pacific Time

Important New Information
A new variant of the Mydoom worm, known as Mydoom.C (or Doomjuice), was detected on the Internet on February 9. Currently spreading to computers that were already infected with Mydoom.A, Mydoom.C causes computers to be used in attacks against other computers on the Internet. Infection by Mydoom.C can degrade both computer performance and network connections.

If you suspect that you have this worm or just want to be sure you do not, click here and scroll down to the utility that Microsoft has provided to "Automatically Check Your PC for Infection" and click the "Check my PC for infection" button and it will scan your machine for all known variants of MyDoom.

If your machine is infected there is a link just below the utility that provides intructions for removal and a link to the removal tool.*

Sophos has received many reports of sightings of the new
email-aware W32/MyDoom-A worm, and is warning system
administrators around the world to ensure their systems
are protected.

A detailed analysis of W32/MyDoom-A is available at:
http://www.sophos.com/virusinfo/analyses/w32mydooma.html

Aliases 
Mimail.R, Novarg.A, Shimg, [email protected], W32/[email protected]

Type 
Win32 worm

W32/MyDoom-A is a worm which travels by email. The worm harvests email addresses from your hard disk and uses randomly-chosen addresses for both the "to" and "from" fields. This means that the "from" address is spoofed and does not tell you where the mail really came from. 
W32/MyDoom-A arrives in emails with the following characteristics:

Subject lines include:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Attachment names include:
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attachment extensions:
bat
cmd
exe
pif
scr
zip

W32/MyDoom-A attaches itself to emails in either EXE (Windows program) or ZIP (Zip archive) format.

W32/MyDoom-A drops itself to your System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.

W32/MyDoom-A adds the value:

Taskmon = taskmon.exe

to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/MyDoom-A loads every time you logon to your computer

Further reading:MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack


----------



## winchester73 (Aug 18, 2003)

Norton LiveUpdate tonight covers this ... http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Symantec calls it [email protected]

New Ad-Aware reference file covers it ... http://www.lavasoftsupport.com/index.php?showtopic=18480&st=0


----------



## winchester73 (Aug 18, 2003)

The latest news is that its a DDOS attack on the SCO Servers: http://news.com.com/2100-7349-5147605.html

A² Signature Update 01/27/2004 ... + 1 signature for Worm.Win32.Mydoom


----------



## Flrman1 (Jul 26, 2002)

Yea when I first got that email about this I didn't realize it was the same as Win32.MMail.A. I'm sure we'll be seeing it pop up a lot here.

I'm curious to see if Adaware thoroughly removes it. I'm sure it will.


----------



## winchester73 (Aug 18, 2003)

Aaron says "yes" ...


----------



## Flrman1 (Jul 26, 2002)

I just got this from SWI:

SWI Readers,

There is a widespread outbreak of the WORM_MIMAIL.R email worm.

This worm is spoofing the sender's email address. If you receive one of these emails, the person in the FROM: address is NOT the person who sent it to you.

If you are running an email server with antivirus software that bounces virus infected emails, FOR GOD'S SAKE STOP BOUNCING THEM! You are participating in a denial of service attack by bouncing viruses at people who are not infected. You could even infect them yourself! STOP BOUNCING THEM!

If you receive an email like the one described below, DON'T OPEN IT! Delete it immediately, update your antivirus program and scan. If you don't have an antivirus, get one.
http://www.nod32.com/ Nod32 $39.00 (The best AV available)
http://www.grisoft.com/ AVG Free (Good enough for the price)

Description From Trendmicro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

A new variant of the MIMAIL worm has been found in the wild. As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a yellow alert to control the spread of WORM_MIMAIL.R.

Also known as W32/[email protected], Mydoom, Win32.Mydoom.A, [email protected]

This mass-mailing worm selects from a list of email subjects, message bodies, and attachment file names. It can also propagate using the Kazaa peer-to-peer file sharing network.

It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.

It runs on Windows 98, ME, NT, 2000 and XP.

It sends email with the following details:

Subject: (any of the following)
. Error
. Status
. Server Report
. Mail Transaction Failed
. Mail Delivery System
. hello
. hi

Message Body: (any of the following)
. The message contains Unicode characters and has been sent as a binary attachment.
. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
. Mail transaction failed. Partial message is available.
. test

Attachment: &ltRandom name>.zip

Post this on every message board you can find. Get the word out. If you have a friend or family member who does not understand how to operate an antivirus, please check that they are updated and protected. If you know someone running antivirus on an email server, please tell them to turn off the bounce feature.

The normal SWI newsletter is going to be a day or two late. I am having bad weather here and it's interrupting my internet connection.

Regards,

Mike Healan
Editor
www.spywareinfo.com


----------



## Flrman1 (Jul 26, 2002)

I am sticking this thread for a while as it appears we are going to be seeing this alot.

If you have been infected by this worm the latest referencefile released for Adaware should remove it so please do the follwing:

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* and download the latest referencefiles.

Make sure the following settings are made and on -------*ON=GREEN*

From main window :Click *Start* then *Activate in-depth scan (recommended)*

Click *Use custom scanning options* then click *Customize* and have these options selected: Under *Drives and Folders* put a check by *Scan within archives* and below that under *Memory and Registry* put a check by *all* the options there.

Now click on the *Tweak* button in that same window. Under *Scanning engine* select *Unload recognized processes during scanning* and under *Cleaning Engine* select *Let windows remove files in use at next reboot*

Click *proceed* to save your settings.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

Restart your computer.


----------



## mobo (Feb 23, 2003)

I know first hand that Norton is updated for it as I recieved two last night alone before changing my email address again.


----------



## brendandonhu (Jul 8, 2002)

I am getting a few of these every minute , and they are all to [email protected], [email protected], [email protected], etc. The only email address I actually use is [email protected]. If I block emails To everyone except [email protected] and block those subject lines I should be OK.


----------



## brendandonhu (Jul 8, 2002)

Oh yay the virus is DDoSing sco.com, I'm sure the linux people are happy.


----------



## Deke40 (Jun 27, 2002)

The latest story on the speed of the worldwide infestation.

http://www.pcworld.com/news/article/0,aid,114461,00.asp


----------



## bassetman (Jun 7, 2001)

I got bombed by a bunch today. NAV caught them all apparently.


----------



## winchester73 (Aug 18, 2003)

If you get infected, and run Ad-Aware ... you will see something like this:

Win32.MMail.A Object recognized!
Type : File
Data : shimgapi.dll
Category : Malware
Comment : 
Object : C:\WINNT\system32\
FileSize : 4 KB
Created on : 1/27/2004 4:37:21 PM
Last accessed : 1/27/2004 6:01:23 PM
Last modified : 1/27/2004 4:37:21 PM

Mark it for deletion ... then you will need to re-boot in order to remove it fully.


----------



## bassetman (Jun 7, 2001)

Just an FYI, I picked up a new set of patterns from AdAware today!


----------



## Byteman (Jan 24, 2002)

I got one from someone who did not add any attachment....
the filename shown was Unknown.txt


----------



## mobo (Feb 23, 2003)

Update...i have had three since last ning now so I guess the theory of this possibly being the fastest spreading one may be true..


----------



## brendandonhu (Jul 8, 2002)

Maybe your ISP has an antivirus that removed the virus before delivering the email. What are the contents of "Unknown.txt"?
Open it by going to File>>Open in Notepad. That way you are safe if it turns out its actually named unknown.txt.exe or .txt.scr or something else.


----------



## bassetman (Jun 7, 2001)

When Norton scrubs my mail and I look at it in Message Source I see Norton.txt.
May be a clue here.


----------



## ~Candy~ (Jan 27, 2001)

Just for fun, I opened it, and Norton said nothing.........hmmmm......running a scan now


----------



## bassetman (Jun 7, 2001)

You opened the txt or the infected email????


----------



## mobo (Feb 23, 2003)

Adaware scan would be the fastest way to go


----------



## ~Candy~ (Jan 27, 2001)

> _Originally posted by bassetman:_
> *You opened the txt or the infected email????  *


Both


----------



## mobo (Feb 23, 2003)

The zip file ?


----------



## ~Candy~ (Jan 27, 2001)

> _Originally posted by mobo:_
> *Adaware scan would be the fastest way to go *


Does the full install download have the newest ref data?

No, it started with a .scr extention


----------



## mobo (Feb 23, 2003)

Yes it does have the definitions for the newewst bugger.

The three i recieved were zip files..


----------



## ~Candy~ (Jan 27, 2001)

Ok, downloading now. Didn't have adaware on my XP install yet......too busy trying to break other things 

I can send you the one I have   I guess it was a .zip file


----------



## mobo (Feb 23, 2003)

So hows the BREAKING goin ?


----------



## ~Candy~ (Jan 27, 2001)

Obviously not too good as I can still reach the desktop 


Subject line: hi

body copy:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.


zip attachment.


----------



## ~Candy~ (Jan 27, 2001)

Just an FYI for everyone, I clicked on check for updates on a new download and it went out and got an update


----------



## winchester73 (Aug 18, 2003)

Run webupdate to get the new reference file ... sometimes it is cached, and you get an old one with the download.


----------



## ~Candy~ (Jan 27, 2001)

Ok, thanks winchester..........shouldn't be, as I've never downloaded it on this machine yet, but I guess stranger things have happened


----------



## dvk01 (Dec 14, 2002)

Norton has a removal tool now so that i s the easiest way to get the bugger off your system

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
And Candy needs a good slapping if she has opened a definiter virus, You should know better by now "curiousity kills"


----------



## ~Candy~ (Jan 27, 2001)

Well, all adaware picks up is my side step stuff (which I want) and the usual cookie files, so don't know what happened, but doesn't look like it transferred to the hard drive. Now, another question, I haven't rebooted since I did the dirty deed, would that make a difference?

Thanks Derek, this is the XP installation I'm trying to kill for whatever reason anyhow. I need to do a format and complete install again, but won't do it until I'm pushed up against the wall


----------



## bassetman (Jun 7, 2001)

> _Originally posted by AcaCandy:_
> *Obviously not too good as I can still reach the desktop
> 
> Subject line: hi
> ...


That's what I saw in message>Source!


----------



## ~Candy~ (Jan 27, 2001)

Well, I feel gipped. No virus according to Norton, nothing found by adware.........


----------



## Deke40 (Jun 27, 2002)

Just made this up as an extra reminder to not open the nasty.

PS-You would have to make four rules for the subject words as I couldn't get it to work with multipule words.


----------



## Deke40 (Jun 27, 2002)

The message rules made it easy to spot the bad boy in red.


----------



## bassetman (Jun 7, 2001)

> _Originally posted by AcaCandy:_
> *Well, I feel gipped. No virus according to Norton, nothing found by adware......... *


Just turn off NAV for the rest of the day if you feel that way Candy!


----------



## bassetman (Jun 7, 2001)

Deke insteresting idea!


----------



## Flrman1 (Jul 26, 2002)

I edited the first post in this thread to include a link to the removal tool and directions on how to use it.

How's it going Candy?


----------



## ~Candy~ (Jan 27, 2001)

Everything shows clean Mark. I don't get it 

Hey Deke, just put your rule to forward them to me


----------



## Flrman1 (Jul 26, 2002)

Did you try the removal tool too?


----------



## ~Candy~ (Jan 27, 2001)

No.....should I? Guess it wouldn't hurt? I guess it'll alert me if something is found?

Edit, ok, downloaded and running it now


----------



## Deke40 (Jun 27, 2002)

> Hey Deke, just put your rule to forward them to me   [/B]


Here you go.


----------



## ~Candy~ (Jan 27, 2001)

Thanks 

I just ran the removal tool, nothing found, on all 3 drive 

Makes ya wonder, doesn't it


----------



## CyBerAliEn (Nov 25, 2001)

Wow, quite interesting.

Last night I had emails pouring into the "default" address of the domain of an insurance company I host about every 10 minutes or so. Emails were from all sorts of misc, made-up addresses. The "to" however was really interesting. It was sending things to [email protected], [email protected], [email protected], [email protected], etc (continously a wide variation of first names). Due to it, I also setup a custom rule in Outlook, and all emails going into that domain are being sent to my deleted box.

I also just started to receive emails into my own domain today. Again, stuff like [email protected], [email protected], [email protected], etc.

All the emails had the subject line mentioned and the bodies mentioned. They also all had an attachment on them (it came in a veriety of forms, a ZIP, SCR, TXT, etc), and all the attachments though were right around 20kb. Just from experience and knowledge, I don't even open an attachment if it is that small, even if its from someone I know, because it is 99.9999% likely it is a virus or something of the sort.

But the thing that "scared" me, was that I never opened any of the attachments. But I received two emails that appear legitimate, claiming an email I had sent did not get through because it contained a virus. Obviously, I never sent those emails.

Right now I am running Norton to make sure I am not infected.

Would certainly seem to be one of the worst yet. Foremost, I have never been affected on my computer by any sort of virus, trojan, etc in well over 2 years; and its possible I'm not affected by this one yet (still scanning). So if its gotten through to me, I'd say its a pretty good one. 

The real problem is if someone from the business I work with opens the email, even though I sent them (every single employee) an email last night after the first 3 emails came through, telling them not to open any of such emails. Though luckily for me, one of them apparently tried opening such an email but Norton stopped them (after I sent them the email, lol).


----------



## winchester73 (Aug 18, 2003)

An attachment (the worm) is included using the file extension .exe, .pif, .zip, and .scr. Filenames include body, document, file, message, test, and text.

Upon execution, it will drop taskmon.exe and shimgapi.dll in the %system% folder, and set taskmon.exe to autostart in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run subkey.


----------



## starchild (Sep 17, 2002)

I came here to ask about this, read on another board (not computer theme) an article on cnn website.

Someone posted that this morning something (in her mail) turned off her mcAfee anti virus program.

Or, she thought this.

I've been getting email in OE for a few days now, that seemed to have gibberish in the subject line. I thought it was a foreign language (ad) or something and just deleted it.

Always something, huh?

Imagine the mentality of the minds that think this stuff up and get it started. Gives new meaning to the phrase "get a life".

~ Carrie


----------



## CyBerAliEn (Nov 25, 2001)

> Gives new meaning to the phrase "get a life".


lol , how true.

Well, my scan is completed (probably been completed for awhile now, but I left for dinner while it was still going and just got back). My computer hasn't been affected (yay ).


----------



## ~Candy~ (Jan 27, 2001)

Mine neither. I guess tomorrow is another day


----------



## CyBerAliEn (Nov 25, 2001)

Yeah, lol...

Its interesting though, I haven't received any of those emails for several hours now.


----------



## ~Candy~ (Jan 27, 2001)

Not too many make it past my ISP, I'm surprised that one slipped in this morning


----------



## starchild (Sep 17, 2002)

I ADWAREd and scanned too, and nothing here.

Maybe we're smarter and faster than the viruses after all.

~Carrie


----------



## pinkolive (Jul 6, 2003)

Hi, 
I'm a relatively new computer user, and I was wondering if Spyware would be enough...I don't think I have an anti-virus program...
When I ran Spyware, it caught a parasite in my directory, so I removed it. I also ran the removal tool from flrman1 and it said that two things were removed.
I guess my question is...is it now safe?
I also checked out the website that flrman1 suggested had the best anti-virus program...it's all Chinese to me! Is it safe to order that via internet now, not knowing if I completely removed the virus or not?
HELP!

Pinkolive.


----------



## KrashedKris (Dec 23, 2003)

Hi pinkolive,

I'm not an expert myself, but I'd suggest that if you're worried about a possible virus infection on your pc you could start a new thread in this forum and post a Hijack This log for one of the experts to examine thoroughly.

Also, you should definitely have both a firewall and an anti-virus program up and running on your pc to use the internet safely - I certainly wouldn't make any financial transactions on the net unless you are confident that you have both running properly. See for example, Rollin' Rog's sticky post "Security Help Tools" for a list of programs you can use, some of which are free.

Also, assuming you use Windows, you should ensure you have all the latest Windows Critical Updates installed on your pc.

Hope this helps


----------



## valley (Nov 17, 2002)

I am having a similar problem as Candy. I get an alert saying I am infected, I have run AVG, the Removal tool from Symantec, and Adaware and none of them indicate that I have the worm. Here is a cap of the alert. Hope you can see it..I resized it so it wouldnt make your eyes bug out:


----------



## ~Candy~ (Jan 27, 2001)

Hi valley, I never got an alert, that was part of the problem, so I guess I actually wasn't infected, even thought I purposely downloaded and clicked on both links in the email. Go figure.

You need to turn off system restore (I think) then rescan, then turn it back on.


----------



## valley (Nov 17, 2002)

> _Originally posted by AcaCandy:_
> *I guess I actually wasn't infected, even thought I purposely downloaded and clicked on both links in the email. Go figure.*


lucky brat! How do you rate? 



> *You need to turn off system restore (I think) then rescan, then turn it back on. *


already did that...if it fixed it then it didnt tell me. I rebooted and didnt get the error message. wacky thing...


----------



## ~Candy~ (Jan 27, 2001)

Be sure to turn system restore back on again 

BTW, I got the brilliant idea to 'test' Norton  Maybe it did voodoo in the background


----------



## jm100dm (May 26, 1999)

valley,

Looking at the photo that you put in your post the file was found in a restore file. As long as you don't restore that file you should be fine. Hope that helps ease your mind.


----------



## CyBerAliEn (Nov 25, 2001)

What were you doing opening that attachment for valley?  

If you want to make sure you don't have, you can always download and run the app from Norton (link to it provided in first post of this thread) to remove this virus, and if it doesn't find it, then obviously you don't have the virus (IE, you never had it to begin with, or it was removed by your anti-virus/etc). If it finds it, this app will remove the virus from your computer.


----------



## valley (Nov 17, 2002)

> _Originally posted by jm100dm:_
> *valley,
> 
> Looking at the photo that you put in your post the file was found in a restore file. As long as you don't restore that file you should be fine. Hope that helps ease your mind. *


thank Jim. That does make me feel better. :up:


----------



## valley (Nov 17, 2002)

> _Originally posted by CyBerAliEn:_
> *What were you doing opening that attachment for valley?  *


I know, I know... It was in an attachment from a member here, of all places! He sent me a link to an article I was looking for...and then I got another email from him saying "error"...so I assumed it meant he gave me the wrong link and opened it!

As soon as I saw the gibberish, I knew I'd been had! 

Everything looks ok now


----------



## Sephiroth11 (Sep 24, 2003)

I guess Microsoft caught word of this easily, MSN Hotmail seems to filter through these since I have not recieved any.


----------



## Sephiroth11 (Sep 24, 2003)

Whoop, my bad, I read the detailed analysis and it says it won't send to .hotmail users.


----------



## Flrman1 (Jul 26, 2002)

- Panda Software reports the appearance 
of variant B of the Mydoom worm -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, January 28, 2004 - Even though incidents caused by Mydoom.A.worm are
still on the rise, PandaLabs has already detected variant B of this worm:
Mydoom.B.worm.

This new variant is even more dangerous than its predecessor, as it is
designed to prevent several antivirus programs from updating correctly.
This, nevertheless, does not affect Panda Software antivirus solutions.

Like Mydoom. A, the new worm is designed to attack and saturate networks of
any size. To do this, it searches e-mail addresses in the Outlook Address
Book as well as in computer files with the extensions: .htm, .sht, .php,
.asp, .dbx, .tbb, .adb, .pl, .wab, .txt. Then, the worm uses its own SMTP
engine to send itself by e-mail. Mydoom.B.worm also spreads via KaZaA.

Mydoom.B.worm also modifies the Windows hosts file. By doing this, it
manages to redirect certain Internet addresses -including those of several
antivirus vendors - so that, when users try to access them, the Internet
browser shows an error message indicating that the page could not be found.
In this way, it prevents several antivirus programs from updating properly.

Unlike Mydoom.A, this new malicious code has been designed to launch DoS
(Denial of Service) attacks against the Microsoft Corporation servers.

Panda Software has already made the updates to its products available to its
clients to ensure their solutions can detect and eliminate Mydoom.B. Even
though Panda Software's products can be automatically updated every day,
those whose software is not configured to update automatically, should
update their solutions from http://www.pandasoftware.com/.

Users can also detect this and other malicious code using the free, online
antivirus, Panda ActiveScan, which is available on the company's website at
http://www.pandasoftware.com/.

Finally, the epidemic caused by the Mydoom.A worm shows no signs of
cooling. The number if infected e-mails that are in circulation is
continuously increasing, which means that the possibility of becoming
infected by Mydoom.A is still very high. Mydoom.A.worm has infected seven
times more computers than Bugbear.B, the second virus most frequently
detected by the online antivirus Panda ActiveScan.

Everything seems to indicate that the writer or writers of these two worms
aim at putting as many copies of their creations as possible in circulation.
In this way, on the dates when the denial of service attacks are set to
occur, there will be more possibilities for these to be successful.

Detailed technical information on Mydoom.A.worm and Mydoom.B.worm is
available from Panda Software's Virus Encyclopedia.

More detailed information on Mydoom.A.worm and Mydoom.B.worm is available
from Panda Software's Virus Encyclopedia, at
http://www.pandasoftware.com/virus_info/encyclopedia/.


----------



## pinkolive (Jul 6, 2003)

Thanks for the help!

I've learned so much in the last 24 hrs. or so about my computer thanks to this virus....I think I finally got rid of it.

I'm just concerned about this "firewall" you mentioned....I will be looking into it before I do my banking! I'm going to check out your suggestion (Security Help Tools) right now.

I hope I don't get infected again!

Pinkolive


----------



## bassetman (Jun 7, 2001)

The things that don't kill us, make us smarter!


----------



## pinkolive (Jul 6, 2003)

Tell me about it! Everytime I update my hubby on what I've found out or what I've done re: this virus he's amazed.

I thank God I found this website last summer!

I'm just trying to find out more about firewalls now...any tips and info.?

Pinkolive

By the way....how did I become 100% tech.? LOL!


----------



## bassetman (Jun 7, 2001)

Download, and install ZoneAlarm!. Then if you have any questions, ask them!


----------



## CÃ©dric (Oct 28, 2002)

Hiya all,
apparently, the virus also uses the mail address of someone you know. I had a mail from my wife she had never sent of course. Fortunately, I knew she couldn't have sent that sort of crap but my mail is being spammed by these mails, anyway.
What can I do except deleting them? The address changes all the time and I can't create a rule saying the mail is spam and all.
any suggestion ?
Ceddy


----------



## brendandonhu (Jul 8, 2002)

If your mail client supports complex filters like regexps and such, you can filter the virus. I found these rules on slashdot:

If expression body matches "UEsDBAoAAA*" Move [virus folder]
If expression body matches "TVqQAAMAAA*" Move


----------



## CÃ©dric (Oct 28, 2002)

Thanks a lot.


----------



## jm100dm (May 26, 1999)

Pinkolive
the 100 % refers to the forum that you posted to. If you post in a different forum the % will drop accordingly.
Jeff


----------



## starchild (Sep 17, 2002)

I've been getting some "return email" in my Outlook Express mail now. Ihave OE set to not let in attachments, and I got so used to this kind of mail during the Microsoft critical update patch (etc) virus spam, I just deleted it automatically now anyway.

The Microsoft one would sometimes say "unable to deliver- mail returned" etc. The idea being, you click on it to see what you might have sent that was returned. 

~ Carrie


----------



## ~Candy~ (Jan 27, 2001)

I was just about to post the same thing Carrie, I figured maybe I'd better rescan again 

Now, I won't waste my time, seems like that will be the next wave of emails.


----------



## CÃ©dric (Oct 28, 2002)

> _Originally posted by brendandonhu:_
> *If your mail client supports complex filters like regexps and such, you can filter the virus. I found these rules on slashdot:
> 
> If expression body matches "UEsDBAoAAA*" Move [virus folder]
> If expression body matches "TVqQAAMAAA*" Move *


Created rules but still receives bloody hello and tests mails.


----------



## pinkolive (Jul 6, 2003)

Hi Jeff,

I figured it was something like that, 'cause I sure 'ain't a tech by any means! LOL!


----------



## brendandonhu (Jul 8, 2002)

> _Originally posted by Cédric:_
> *Created rules but still receives bloody hello and tests mails.
> *


I said if your mail program allows you to filter on regular expressions...apparently yours doesn't.

Anyways, I have gotten about 10 emails today saying Such-And-Such-Antivirus-Program has detected a virus in an email you sent. They send a warning message telling me to notify my IT person, and they bounce back the email that they think I sent. Hasn't someone told them that this thing forges the Return Address?


----------



## mommajoan (Oct 16, 2003)

MyDoom becomes most active virus on record.

MessageLabs


----------



## Denim (Dec 31, 2002)

Hey there All, 
Luckily enuff by the grace of God (knock on wood ) I aint been hit yet by the nasty MyDoomA or B Demon!! 
I Know that Flrman Said that Adaware When updated and ran catches Parasites of the Nasty Little Buger. 
But Was was wondering does Spybot Search and destroy (when Updated and Ran) do the same thing?

I'm Still on dial up too, and Somebody told me that has help me some right there too In keeping nasties out. I Hope that this is true. 
Im runing Windows XP,
Nortons System Works 2003
Sygate Personal Firwall
Spybot Search and Destroy
POW!! Pop up Ad Stopper

I did a security check at Symantec tonight and they said that I was runing in full stealth Mode against Everything Including Trojans. And Sygate Said the samething to. So I guess I must be doing something right somewhere huh?  

 Denim

I just found this at Symatec for you Linux Users . Now Fair warning I Know nothing bout Linux or nothing Like that but am Just passing this along for the Linux Users here . 
A Security Update From Symantec For Linux Users


----------



## Byteman (Jan 24, 2002)

Hi denim....Not sure about SpyBot having detections for MyDoom, but Norton Antivirus does, most antivirus programs have it within some hours of the virus first being noticed. It pays to check for updates almost every day the way new bugs are bouncing around.


----------



## Denim (Dec 31, 2002)

Hey there Byteman, 
I figured that Nortons did. After all they are the best at keeping on top of everything . Or at least they have in the last 3 years that I have been using them !! 
That is the first thing that I do when I get on the Log on the net, is Pull Nortons up and Run Live updates, then Run a full system scan EVERDAY!! Without fail !! 
But right now the way that it is set up is just to quarantene infected files. Do you think it would be better if it Deleted infected files instead? 
Your buddy Always, 
 Denim


----------



## Denim (Dec 31, 2002)

Hey there Byteman, 
I figured that Nortons did. After all they are the best at keeping on top of everything . Or at least they have in the last 3 years that I have been using them !! 
That is the first thing that I do when I get on the Log on the net, is Pull Nortons up and Run Live updates, then Run a full system scan EVERDAY!! Without fail !! 
But right now the way that it is set up is just to quarantene infected files. Do you think it would be better if it Deleted infected files instead? 
Your buddy Always, 
 Denim


----------



## dvk01 (Dec 14, 2002)

This press release comes from F-Secure. For more 
information on F-Secure's mailing list policy, 
see end of message.

PRESS RELEASE

For release February 9,2004

Authors of Mydoom worm launched yet another attack
New worm tries to loose the evidence

A new network worm known as Doomjuice has been found. This worm is closely
associated with the previous Mydoom worms. It infects Windows machines which
are already infected by Mydoom.A. On such machines the worm will infect the
computer totally automatically - the owner of the computer can be sleeping
and still get Doomjuice to his computer. Doomjuice does not spread over email
at all.

Doomjuice has launched a world-wide denial-of-service attack against
www.microsoft.com - one of the largest websites in the world. Currently
www.microsoft.com seems to be operational, but a disruption in service has
been noted earlier during Monday the 9th of February.

Doomjuice spreads between computers that are already infected with the
Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate machines
with the backdoor open, Doomjuice scans random internet addresses. When it
finds a machine that is infected by Mydoom.A, it sends itself over infecting
it with Doomjuice too.

Doomjuice drops the original source code of the Mydoom.A worm in an archive
to several folders of infected computers. "This proves to us that Doomjuice
and Mydoom.A are written by the same people", comments Mikko Hypponen,
Director of Anti-Virus Research at F-Secure. "The source code of Mydoom.A has
not been seen circulating in the underground before."

The motivation to distribute source seems to be simple. "The authors know the
police is looking for them. And the best evidence against them would be the
possession of the original source code of the virus. Before the Doomjuice
incident, only the authors of Mydoom.A had the original source code. Now
probably tens of thousands of people have it on their hard drive - without
knowing it", says Hypponen.

The worm has been programmed to start a distributed denial-of-service attack
against www.microsoft.com after the 8th of February, which is when the worm
was probably distributed. The attacks will continue forever and will try to
overload the website by repeatedly reloading the front page.

Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/doomjuice.shtml

F-Secure monitors the ongoing attacks against www.sco.com and
www.microsoft.com by the Mydoom-related viruses in our Weblog:
http://www.f-secure.com/weblog/


----------



## ~Candy~ (Jan 27, 2001)

Those little *#*#*#*#


----------



## starchild (Sep 17, 2002)

Wow...

I guess when something gets so big (the internet/Microsoft, etc) it just makes a bigger target to use against itself.

Or something.

If I run scans that show I don't have the original worm, this should be okay, right?

It's going to continue 'forever'? 

The anti virus programs will be able to deal with it and clear it up in time, right?

I'm still occasionally getting emails that say critical update patch, and MSN stuff, from the Swen virus, last Fall.

In a way, whoever thinks this stuff up and starts it must be a genius. Too bad they aren't using it in less destructive ways.

~ Carrie


----------



## starchild (Sep 17, 2002)

You said it all, AcaCandy.

~ Carrie


----------



## dvk01 (Dec 14, 2002)

It's hiiting MS hard at the moment

The main website is uncontactable as well as Microsoft.co.uk .de .jp etc etc

They are really trying it on this time

perhaps Big Billy will spend some of his Billions in tracking them down and dealing with them


----------



## starchild (Sep 17, 2002)

Sort of like "the bigger they are the harder they fall"?

Actually, I can't really judge Bill Gates (for being in the right place at the right time and taking advantage of it), if it wasn't for WINDOWS I probably wouldn't be online now. And probably a lot of others wouldn't.

Or, we'd all have MACS (LOL)

~ Carrie


----------



## dvk01 (Dec 14, 2002)

Also beware of this one

a backdoor left by the mydoom as Carrie has found out

http://www.sarc.com/avcenter/venc/data/[email protected]

see thread here
http://forums.techguy.org/t202957/s.html


----------



## bassetman (Jun 7, 2001)

Thanks Derek!


----------



## starchild (Sep 17, 2002)

I feel like a pioneer 

I'm wondering WHY didn't all the scans I used all along (since MY Doom first came out- and my regular AVG before that) show I had MY Doom in the first place? I even used the ones given out here (Symantec) especially for this. 

I would have had to have had it, to get the backdoor version of it?

Yesterday when I looked up the 1111a.exe, 1111b.exe, 1111c.exe in google there was nothing to be found for them.

Today there are.

btw, that link you gave (Derek) doesn't open. Maybe it's just really busy right now.

~ Carrie


----------



## bassetman (Jun 7, 2001)

Both of Derek's links worked for me a bit ago.


----------



## starchild (Sep 17, 2002)

It said "page cannot be displayed" (quickly, not like it timed out) I tried it several times.

I'm sure it's a good link, maybe getting flooded with people opening it.

I found quite a lot of info about this already in google search.

This is the picture that I found in C:\ (that said it was in WIN/TEMP when opened) It said "2" under it, and had a strange icon that looked like a mushroom on it, which was why I noticed it.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101004#method

I was looking in C drive for something else at the time.

It gave the date created as Feb 4, but that might have been when the original worm created it.

Too bad the people who think this stuff up can't be using their apparent genius in some GOOD way.

~ Carrie


----------



## eddie5659 (Mar 19, 2001)

*W32/Netsky.B Virus*

The W32/Netsky.B virus propagates either as an attachment to an email message or by automatically copying itself to Windows network shares. Upon successful execution, the virus attempts to

modify various Windows registry values so that the virus is run again upon reboot. 
install a copy of itself in the %Windir%\services.exe, where %Windir% is a variable pointing to the root of the Windows directory on the host. 
collect target email addresses from files with specific extensions on the local system. 
copy itself to particularly-named files within non-CDROM local drives or mapped network shares. 
remove registry keys that were added as a likely result of successful compromise via other recent malicious code, including W32/Novarg.A  and W32/MyDoom.B. 

When spreading via email, the virus arrives as an email message with a 22,016-byte attachment that has a filename selected randomly from a fixed list and a double-extension of one of the following combinations:

.txt 
.rtf 
.doc 
.htm 
and 
.com 
.pif 
.scr 
.exe 
The attachment may also arrive as a ZIP (.zip) archive.

Some messages containing the virus have had the following characteristics:

Subject: (one of the following) 
stolen 
fake 
unknown 
something for you 
read it immediately 
warning 
information 
From: <spoofed>
To: <email address>

Body: 
(The body has been reported to contain a short message selected randomly from a fixed list.)

When spreading via the filesystem, the virus searches non-CDROM drives C: through Z:, including mapped network shares, for any folders containing "Share" or "Sharing" in their name. The virus then copies itself into these folders as a filename selected randomly from a fixed list and containing a double-extension.

As with other malicious code having mass-mailing capabilities, W32/Netsky.B may cause "collateral" denial-of-service conditions in networks where either (a) multiple systems are infected, or (b) large volumes of infected mail are received.

The CERT/CC is continuing to analyze the malicious code and we will update this Incident Note as more information is confirmed.

Anti-virus vendors have developed signatures for and information about W32/Netsky.B:

http://www.sarc.com/avcenter/venc/data/[email protected] 
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B 
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101034 
http://www.f-secure.com/v-descs/netsky_b.shtml 
http://www.sophos.com/virusinfo/analyses/w32netskyb.html 
http://www3.ca.com/virusinfo/virus.aspx?ID=38332

http://www.cert.org/incident_notes/IN-2004-02.html

Regards

eddie


----------



## eddie5659 (Mar 19, 2001)

Hiya

US-CERT is receiving reports of another variant of the Mydoom virus, called W32/Mydoom.F. Like previous versions (e.g. W32/Mydoom.A or W32/Mydoom.C), a backdoor is opened which allows the virus to download and execute arbitrary code. However, the port number has changed from 3127/tcp to 1080/tcp. Additionally, the backdoor can be used by an attacker to gain access to a system.

The virus searches for and may delete files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp .

If the date is between the 17th and 22nd of the month, the virus will perform a Denial of Service (DoS) attack against the websites for Microsoft (www.microsoft.com) and the Recording Industry Association of America (www.riaa.com)

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

Regards

eddie


----------



## starchild (Sep 17, 2002)

How can we check to make sure we don't have this new variation of it?

I remember the last one, it took AVG (which I use) several days to learn about it and add it to their scan.

~ Carrie


----------



## bassetman (Jun 7, 2001)

Go here and pick one of the online scanners.
http://forums.techguy.org/t110854/s.html


----------



## starchild (Sep 17, 2002)

Okay, some of them I already have.

I guess at some point they catch up with the brand new viruses.

Thanks- that's a good page to put in Favorites.

~ Carrie


----------



## bassetman (Jun 7, 2001)

YW


----------

