PDA

View Full Version : Again a new virus for you Windows users



Hasse
27-01-04, 06:57
MyDoom,Shimgapi, Novarg

The virus will try to fool you in opening an attachment with this type of a message:

test

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.

The message contains Unicode characters and has been sent
as a binary attachment.

Mail transaction failed. Partial message is available.

The attachment contains the virus. Remember that the name of the sender/email address of the sender can be your friend's name even though he/she isn't responsible for the email!

The following snapshot is one virus message that was sent in my name to somebody at Nokia.

kpaavola
27-01-04, 14:32
Apparently, people are busy out there. I got this email last night in my Inbox. I never sent it so immediately did a full system scan and no viruses. It seems people are able to "use" you email address to sent out viruses. I have no idea who the recipient was.

GROUP securiQ.Watchdog
Server: SMTP3
-----------------------------------------------------------------------

Your mail message contained attachments that are restricted from delivery
for security purposes. The restricted attachments have been disabled or
removed and will not function for the recipient.
-----------------------------------------------------------------------

Mail-Info

From: kspaav%40aol.com
To: robert.hofstra%40bunge.com
Rec.: robert.hofstra%40bunge.com
Date: 01/26/2004 06:53:25 PM
Subject: Mail Transaction Failed

-----------------------------------------------------------------------
file is denied: readme.scr

June Pelo
27-01-04, 16:34
I get mail like that, but my Norton's Anti-Virus program has caught them. My program is set to update continually so I've been very lucky so far. According to what I read in the paper, most of the viruses originate somewhere overseas.

June

sune
27-01-04, 17:16
I just read that the MyDoom virus first was detected in Russia, so it might have originated there, but who knows?

I have also seen an article in Aftonbladet.se that this virus is one of the nastiest ever. Not only does it multiply by using your adress book. It also opens a "back door" in your Windows system which a hacker then can use to monitor everything you do with your computer and even use it himself. And it spreads very fast. So be careful out there.

Sune

kpaavola
27-01-04, 17:42
Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension. The From address is 'spoofed'.

The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:

Error
hello
HELLO
hi
Hi
Mail Delivery System
Mail Transaction Failed
Server Report
Status

The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:

Data
Readme
Message
Body
Text
file
doc
document
Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.

When performing its mass-mailing routine, the worm finds destination e-mail addresses by searching files with the following extensions:

adb
asp
dbx
htm
php
sht
tbb
txt
wab

The worm is coded to stop spreading on February 12, 2004 (it will stop send e-mails and spreading through KaZaA). However, even if the worm is executed after this date, it will still drop shimgapi.dll and activate the backdoor.

----- Make sure your virus programs are up to date -----