New [computer] virus hitting in-boxes (W32.Novarg.A)

CNET News.com ^ | January 26, 2004, 2:14 PM PT | Robert Lemos

[FourPeas]

Antivirus firms warned on Monday of a new mass-mailing computer virus that had gained a foothold in a large number of PCs by masquerading itself as an e-mail error.

The virus, dubbed MyDoom, arrives in an in-box with one of several different random subject lines, such as "Mail Delivery System," "Test," or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment."

Antivirus firms were scrambling Monday afternoon to learn more about the virus, which started spreading at about 1 p.m. PST.

"A lot of the information is encrypted so we have to decrypt it," said Sharon Ruckman, senior director for antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.

Antivirus firms are still analyzing the virus. Variations in the body text include, "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

The virus also seems to install another program on the victim's computer, but until the antivirus firms decrypt the program's code, the purpose of the file is unknown.

Mail systems that remove executable files from e-mails can stop the program from spreading.

More details to follow.

[FourPeas]

Discovered around 1pm today, it's already at a Level 4.

[martin_fierro]

FREE PC PROTECTION: (Not an exhaustive list. Your results may vary. Void where prohibited. For entertainment purposes only. No wagering, please. Whattayawantfernuthin'.)

Alternative browsers: Mozilla Opera AVG Anti-Virus Free Edition: Free anti-viral protection Popup ad killers: Bayden Systems Popup Popper: Blocks popup ads well in MSIE Shoot the Messenger: Close that friggin' Messenger in Windows XP Spyware removers: Spybot S&D AdAware MailWasher: Good for pre-screening & bouncing SPAM Windows Update: At least install the critical ones ZoneAlarm: Excellent Firewall Test your firewall from without with ShieldsUP! Test your firewall from within with LeakTest

[Billthedrill]

We've been clobbered by it in Seattle - fortunately it's extremely easy to detect and remove before it hits the user's mailbox. We started getting thumped around 11:15 AM local time.

Couldn't get a new virus siggy on one of my servers so I called the principal customer. Turns out he turned the server off to avoid the virus. He was a student of mine in a SysAdmin class last year. Jesus wept.

[2Am4Sure]

The version that hit me contained a Zip file, not an executable.

[dfwgator]

Mail systems that remove executable files from e-mails can stop the program from spreading.

Also, having employees not stupid enough to open attachments will help too.

[FourPeas]

More information can be found at McAfee and Symantec.

[FourPeas]

Symantec just recently added the possibility of the .zip to its site within the past 10-15 minutes. I'm amazed how little information there is at Symantec's site.

[Uncle George]

I got it Sunday. It keeps sending "Mail failed" and "Daemon Mailer" messages out all over the world. I tried a anti-virus cleaner and they have almost stopped coming to my in-box. A scan says no virus detected detected now. (I hope).

[HighWheeler]

"Antivirus firms were scrambling Monday afternoon to learn more about the virus, which started spreading at about 1 p.m. PST."

Poor investigative skills on the part of the author.

Here's the correct version:

Antivirus firms [that created the virus] were scrambling Monday afternoon to learn more about [how much more revenue would be reaped due to] the virus, which started spreading at about 1 p.m. PST.

/sarc

[TheBattman]

Two options -

Don't be a blooming idiot and open unrecognized attachments...DUH!

or use a computer platform not subject to such stupid junk.....

[freeangel]

Saving for hubby

[FourPeas]

Mr. FourPeas is in IT Security at a Fortune 500 Company. The Director of Corporate Training [sic] opened the attachment on this worm. It came from an invalid internal e-mail address. It's now spewing itself around the corporate network and Mr. FourPeas is laughing hilariously at who introduced it.

[FourPeas]

New paragraph added to story:

In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company had already shut down its e-mail gateway to stop the virus.

Ah... It's days like this that make me incredibly content that I'm an EX-geek.

[Not A Snowbird]

We've been clobbered by it in Seattle

Thanks for the heads up. Haven't seen it here at DHS yet, but our IT folks do a pretty good screening job.

[dfwgator]

The Director of Corporate Training [sic] opened the attachment on this worm. It came from an invalid internal e-mail address.

Wanna get away?

[tacticalogic]

The network at the San Diego school district is infected. I'm looking at the gutted carcass of one right now that came from their IP block.

[LayoutGuru2]

BUMP

[Lancey Howard]

Do you have any opinion about Webroot Spy Sweeper for identifying and removing spyware?

Thanks,
LH

[LayoutGuru2]

I received a copy of it in my Yahoo! Inbox at 2:48 p.m. today.

Norton AntiVirus (ran LiveUpdate about an hour ago) detected it.