View Full Version : Community Service Warning: What You Should Know About the Mydoom Worm
Jason Dunn
01-28-2004, 12:30 AM
<div class='os_post_top_link'><a href='http://www.microsoft.com/security/antivirus/mydoom.asp' target='_blank'>http://www.microsoft.com/security/a...irus/mydoom.asp</a><br /><br /></div>"W32/Mydoom@MM spreads through e-mail. This worm can disguise the sender's address, a tactic known as spoofing, and may generate e-mail messages that appear to have been sent by Microsoft. Many of the addresses Mydoom uses are valid addresses that are being spoofed for malicious purposes.<br /><br />Technical information about the virus is available from antivirus vendors participating in the Microsoft Virus Information Alliance (VIA). The Mydoom worm is also known by the names Novarg, Shimg, and Mimail.R.<br /><br />If you ever receive a questionable e-mail message that contains an attachment, do not open the attachment. If you cannot confirm with the sender that the message is valid and that the attachment is safe, delete the message immediately. If you receive a questionable message that purports to be from Microsoft, you should be aware that Microsoft never distributes software through e-mail."
rugerx
01-28-2004, 12:34 AM
You may also recieve a bounce back that the email "you" sent was rejected due to virus.
This does not mean your system sent it. The spoofing involves the virus extracting email addresses from users address book, (which may contain your email address, ie a friend has you in contacts) and then sends multiple emails on your behalf without ever asking you!
Nasty indeed.
Iznot Gold
01-28-2004, 12:54 AM
Wow after reading this I checked with my anti virus supplier and in the time it took me to read the info on the worm, the reported incidences had increased four-fold in the UK! 8O
Regards
David
Jonathan1
01-28-2004, 01:16 AM
hehe. My e-mail client is setup to auto strip any executable attachments before I even touch them and my filters are setup to ax any HTML e-mails. All my contacts know this. So it's not a problem for me. Thanks anyways. :)
Jason Dunn
01-28-2004, 01:17 AM
hehe. My e-mail client is setup to auto strip any executable attachments before I even touch them and my filters are setup to ax any HTML e-mails. All my contacts know this. So it's not a problem for me. Thanks anyways. :)
Why? You obviously have the knowledge to know what to open and what not to open, so why the extreme measures that destroy valid HTML communications?
Godsongz
01-28-2004, 01:18 AM
I had over 800 copies of this worm emailed to addresses at my company today. The odd thing was, many of them were sent to addresses that didn't exist. I think the worm, after grabbing a valid address @suchinsuch.com, is also sending messages to common names @suchinsuch.com. I saw lots of first names in these bogus addresses, like bob@, susan@, david@, frank@, etc etc etc... my company doesn't use that scheme.
denivan
01-28-2004, 01:23 AM
I had over 800 copies of this worm emailed to addresses at my company today. The odd thing was, many of them were sent to addresses that didn't exist. I think the worm, after grabbing a valid address @suchinsuch.com, is also sending messages to common names @suchinsuch.com. I saw lots of first names in these bogus addresses, like bob@, susan@, david@, frank@, etc etc etc... my company doesn't use that scheme.
Indeed, a client of mine went crazy because of all the inbound failure notices he got from the virus that was sent to george@... , maria@ .... etc.
Normally inbound notices are helpfull, you would be surprised how many people type an e-mail address wrong, so an inbound failure can tell who tried to contact who within the company, but I decided to automatically delete all inbound failure messages until this blows over...any ideas on a better way to solve this ?
Kind regards,
Ivan
Jason Dunn
01-28-2004, 01:27 AM
Normally inbound notices are helpfull, you would be surprised how many people type an e-mail address wrong, so an inbound failure can tell who tried to contact who within the company, but I decided to automatically delete all inbound failure messages until this blows over...any ideas on a better way to solve this ?
Between viruses and spammers hijacking domains to use as return addresses, inbound notices have become drastically less useful. When a spammer stole my domain name (kensai.com) and started using it as a domain for fake return addresses, I started getting 50+ bounce messages every day, because my domain it set to forward ALL email to me (a blanket forward). I've since had to change that because of the damn spammer...
Janak Parekh
01-28-2004, 01:47 AM
Why? You obviously have the knowledge to know what to open and what not to open, so why the extreme measures that destroy valid HTML communications?
I think it just boils down to the fact that people are very polarized about the concept of HTML email. ;)
--janak
people who uses HTML to write email should be prohibited to reproduce. Instant castration I say.
Jason Dunn
01-28-2004, 02:00 AM
people who uses HTML to write email should be prohibited to reproduce. Instant castration I say.
:razz: HTML is a tool, like any other tool, and it can be used properly and improperly. Blame the user, not the tool.
Mark Kenepp
01-28-2004, 02:16 AM
hehe. My e-mail client is setup to auto strip any executable attachments before I even touch them and my filters are setup to ax any HTML e-mails. All my contacts know this. So it's not a problem for me. Thanks anyways. :)
There have been a few viruses get past our Exchange Server by hiding the virus in a zip archive (this Norvag is one of them). It still must be opened and executed by the end user but if the average corporate user is like those I support in my office, it will be. :frusty:
sponge
01-28-2004, 02:18 AM
This virus is supposed to DOS www.sco.com starting Feb 1, and it'll stop spreading Feb 12.
Where's the harm in it again? *drum shot*
By the way, can this even be considered a worm? The user specifically has to run it.
As far as HTML mail, in this case, I haven't seen any useful use for it, besides making my e-mail client think while it loads up the HTML controls.
Jason Dunn
01-28-2004, 02:24 AM
As far as HTML mail, in this case, I haven't seen any useful use for it, besides making my e-mail client think while it loads up the HTML controls.
You sound like the type of person who, back in the days of black and white TV, said "Why would anyone ever need to have TV in colour?"
HTML allows a richer communications experience with the reader, period. That's a good thing no matter what, even though some will abuse it. Just like TV, the medium and the message are different, and you can't blame one because of the other. Just look at all the crap on TV today. ;-)
Dave Potter
01-28-2004, 02:31 AM
Hmmmm - I recieved a rather bogus looking email from Microsoft about 2 weeks ago and my antannae immediately went up. Alarms bells went off in my head etc.
I knew as soon as I laid eyes on it that Microsoft does not sent out software via emails. So I deleted it and warned everyone I know.
I wonder if it is the same virus that's going around now? If so, then It's been around a little longer than previously thought.
sponge
01-28-2004, 02:41 AM
It's not that I don't see anyone needing HTML mail, but I personally haven't seen a non-abusive use of it yet. Myself, I haven't seen a big advantage yet that'll make me drop using text-only just yet.
It's not the sme one with the false MS security alert, that one is pretty old. This one has a bunch of generic subjects, some involving servers in my case, and little to no body.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R&VSect=TThis site[/b] has all the details you'll ever need. I rely on this site for my virus info, they have more indepth details than you'll ever want.
klinux
01-28-2004, 02:41 AM
hehe. My e-mail client is setup to auto strip any executable attachments before I even touch them and my filters are setup to ax any HTML e-mails. All my contacts know this. So it's not a problem for me. Thanks anyways. :)
The bad thing about your e-mail filtering rule is, in addition to what Jason has already mentioned, is that the people whom are not in your contact list (old friend who looked you up, someone who changed their e-mail, etc) can easily be caught in it.
Check this informal study: http://www.informationweek.com/story/showArticle.jhtml?articleID=17300016.
HTML e-mail is not the problem. It is how people (senders, really) are using iit that is the problem.
Ed Hansberry
01-28-2004, 03:20 AM
hehe. My e-mail client is setup to auto strip any executable attachments before I even touch them
It is a zip file with an EXE in it.
Ed Hansberry
01-28-2004, 03:23 AM
I think it just boils down to the fact that people are very polarized about the concept of HTML email.
Yup. 2 kinds of people on HTML email.
1) Those that hate it
2) Those that should hate it. :lol:
Ed Hansberry
01-28-2004, 03:29 AM
HTML e-mail is not the problem. It is how people (senders, really) are using iit that is the problem. THAT is the problem. HTML web pages have to be visited and are not at all effective in spreading viruses. Email just has to be opened and if you are like me, you just open one email then start with the "next" arrow to read. If you have an older client/OS, you will just get bitten. :-| Ootlook 2003 is really good at blocking thas stuff. Agent is even better. It converts it to text. :D
Gerard
01-28-2004, 04:09 AM
I think to date I've had about 50 copies of this virus aimed at me. At first I replied to the senders, only the ones I actually know, with some basic advice on things they could do to prevent future attacks such as this. I also expressed my sympathies.... but it seems now that few or none of them actually got infected, that they might just happen to know someone else I know who used their address as a synthetic From field. That stinks. Still, none of the folks I emailed the advice to have replied, making me think they are experiencing some form of viral interruption of communications.
I use nPOPw. I download only the first 300 lines of every email, unless I actually want the thing, in which case I mark it for download and update to marked condition whenever I feel like it. No virus ever comes to me unless I want it (which I have on occassion, for testing the utility of various useless PPC-based AV softwares, none of which have ever spotted a saved virus for me). That's precaution number one.
Everyone with a PC or PPC can use nPOP, but of course not everyone wants to, or more likely hardly anyone knows about this great freeware. So, next I offer the basic advice about settings in Outlook, such as that automated 'Mark As Read in Preview Mode' nonsense - not something this particular bug is using, but a good thing to disable anyway. And security settings should be set properly, as well as just never opening anything at all suspicious...
Lastly I keep telling people to get the one decent AV software I know for certain is always updated fastest when there's a new virus; AVG. The freeware version is great, very easy to use and non-intrusive in practice, offers scanned tagging in Outlook and Outlook Express to satisfy recipients, and the definition downloads for the current version are cumulative, not wholesale, making for painless downloads. The pro edition is fairly cheap, and offers great advanced tools as well as full support service. I don't need that, as the freeware version is perfect for a single user. Automated updates make this really a no-brainer: GET GRISOFT, breathe a lot easier.
Now, what kind of a lame-ass goes around writing this sort of virus? I heard on the radio this afternoon that they'd tracked the target to a US software company, that the author was apparently aiming to kill that one company's systems. Is that so? Why? Did they fire the little brat and now he's taking out his tantrum on the world at large? Pathetic.
sponge
01-28-2004, 04:46 AM
Now, what kind of a lame-ass goes around writing this sort of virus? I heard on the radio this afternoon that they'd tracked the target to a US software company, that the author was apparently aiming to kill that one company's systems. Is that so? Why? Did they fire the little brat and now he's taking out his tantrum on the world at large? Pathetic.
They're going after SCO, who are basically proposing war on Linux. They're extorting $699 for a Linux licence, because they claim their Unix System V code is in the kernel, however they haven't provided any proof of it yet, but still are firing lawsuits left and right at IBM, etc, as a last hope before bankruptcy. That's the gist of it.
Janak Parekh
01-28-2004, 05:50 AM
They're going after SCO, who are basically proposing war on Linux. They're extorting $699 for a Linux licence, because they claim their Unix System V code is in the kernel, however they haven't provided any proof of it yet, but still are firing lawsuits left and right at IBM, etc, as a last hope before bankruptcy. That's the gist of it.
Not necessarily. A number of Slashdot posters commented that the whole SCO DDoS attack might be a huge distraction, pointing out that the virus gives a backdoor to the machine...
--janak
Gerard
01-28-2004, 06:29 AM
So supposedly some Linux fan is attacking everyone in the world who uses a PC, just to get at a company which is attacking Linux? Whoa, that's uncool if true. I thought using Linux was akin to using a Mac, it sort of implies a 'brotherhood of man' ęsthetic, a code of conduct which embraces everyone and seeks to help one's fellow man. Guess not. Of course, it's not solved yet, so maybe there's hope for Linux-kind once all this gets figured out.
sponge
01-28-2004, 06:34 AM
Janak: Haven't seen any solid truths to that yet, though the theory is sound. Maybe I'll tear one apart myself and take a look at it, though I have a feeling if the backdoor were to be found, it would've been already. Whoops, they did find one. Opens a port that allow file transfers to execute. Might want to block ports 3127 to 3198 to stop it from setting it up.
Gerard: Who's to say it's an obsessed Linux fan? It's just as likely a Linux user as it is someone who wants to give Linux a bad name, or someone who hates corporate abuse, or anything.
I've got around 50 of these + a number of bounces. There is no point in informing the sender that they sent it since the virus will choose randomly from the infected users contacts and select one as the "from" and another one as the "to" address = 99% the email did not come from the address in the "from" field. If you do that you'll just increase the unnecessary traffic caused by the virus.
Now, I wish everyone would run some sort of antivirus software like Norton and keep the virus definitons up to date and if not, at least leave attachements unopened. This one is tricky, since it appears as the attachement is just a *.txt file - which it is not.
Here, lets give the worm what it deserves:
:snipersmile: :devilboy:
sponge
01-28-2004, 07:14 AM
The icon is that of a text file, and they probably use the same old file.txt.pif tricks, but in either case, it should be pretty easy to determine which is a text file, and which is the virii.
SD-Realtor
01-28-2004, 09:01 AM
Yeah, I got it first from my manager - so I thought it was legit. I got tagged. I'm always so careful too, but I was kinda tired and not paying enough attention so I fell for it! Luckily my Norton told me that my outlook was trying to send out messages (to those in my contacts), so I was able to get off line immediately before it sent any and I cleared the virus. I had to get the latest Norton update from a different computer, put it on a usb drive, and transfer it to my computer that way. I couldn't simply download the virus update from the web on my computer - even if my outlook was closed, if I was online it would try to send out the messages. The way they write the virus, you don't even know you sent them out - as no extra messages show up in your sent message folder.
Once I do a full scan and get rid of the virus, I have nothing to worry about, right? I've never been hit before, so this is a bit new to me. As basic as it sounds, I'm just glad I have anti-virus software!
bdegroodt
01-28-2004, 02:47 PM
FWIW (and not to throw any gasoline on the fire), but I love the PPC weekly HTML email updates. :D
quidproquo
01-28-2004, 02:53 PM
FWIW (and not to throw any gasoline on the fire), but I love the PPC weekly HTML email updates.
I can second that ! I think HTML messages are great. They are RICH and vibrant and make a reader want to look all over for what ever special things the email holds.
Again, don't blame the masses for a few abusers. That would be like taking all cars away from people because you have a few wreckless and/or drunk drivers.
Jonathan1
01-28-2004, 03:06 PM
hehe. My e-mail client is setup to auto strip any executable attachments before I even touch them and my filters are setup to ax any HTML e-mails. All my contacts know this. So it's not a problem for me. Thanks anyways. :)
Why? You obviously have the knowledge to know what to open and what not to open, so why the extreme measures that destroy valid HTML communications?
There is nothing that has to be communicated to me that can't be done in RTF. The possible formatting and linking options available with html do not outweigh the possible security hazards that IE has. I'd rather be 100% confidant when I open up an e-mail that there isn't a possible exploit sitting in it waiting for me. That and very close to 100% of spam is now formatted in HTML. I only get 1 or 2 e-mails that slip by that filter every few weeks and those are picked up via my spam filter. As I said before everyone who knows me knows that I don't do HTML. Its not worth the potential trouble.
PS- The e-mails aren't actually deleted but filtered into an alt folder labeled HTML. Once a month I go through the list and clean it out.
I cannot believe the people who see their own name in the Sender field and think "Hmmm I didn't send myself a ZIP file, but maybe I should open it and RUN the file it contained!":twak:
C'mon... I know I'm a geek and I'm in tech support for a company that is not an IT business, but those people should give their head a shake! Opening an email that looks like you sent yourself, seeing it has an attachment, and opening and running it!.
We have had lots of people infected at our company because the DAT was late posting at McAfee and the update could have better handled by our IT dept (I am part of that group too), but you can only protect people from themselves so much.
So I'm off to battle bugs again today...
Please have a good VIRUS-FREE day.
AXE
Gerard
01-28-2004, 07:56 PM
Speaking of HTML abuse... am I the only one who gets Microsoft's Mobile Newsletters in Hotmail, and finds the 'mobile' Hotmail totally useless for reading these things? It's like they haven't even got the most basic of clues as to how Mobile MSN appears in Pocket IE! I see a pile of 'links' which are just dozens and dozens of URLs, with no <a href=http://etcetera... > nor </a>, just < and > symbols. Totally lame. There's just no way I'm going to waste my time manually copying and pasting all those links into a new PIE window (something I can only do thanks to MultiIE or ftxPBrowser, no thanks to Microsoft). I just delete the damned things. I've tried unsubscribing repeatedly from these pseudo-HTML mailouts, but apparently Microsoft doesn't honour such requests.
Most, probably 98% or more, of the HTML-formatted email I get is spam. The odd thing I get that's legit I just save as HTML in nPOPw and open in PIE. No big deal there. Of course, I'd rather just have plaintext and attachments, but some users are too ignorant of how to configure Outlook or whatever to even realise that they are sending in HTML. I'd guess that accounts for almost all the legitimate HTML I receive; kids in the family who don't know about such options, or who get a kick out of making custom backgrounds for their messages. My neice and my own kid both just love the latter, competing with eachother constantly for the coolest email background paintings. It's fun for them, but a bit painful at our end over dialup. My kid saves hers as GIF files whenever they don't cost her any detail, making for the odd irony that my neice receives rather small emails over her broadband connection, and we get 400KB backgrounds over dialup in BMP format. Kids.
Email and plaintext, for serious communications (not kids having silly fun or salesmen desperately trying to grab a customer's attention), is just the only way I respect. HTML is a toy, something lacking the simple authenticity of the well-written word. Attach a PDF or send a link to an online HTML doc if more presentational control is needed. Anyone with the savvy to write a proper HTML doc should obviously understand the basics of FTP too, and it's just handier for the recipient in many cases to click/tap on the link at their leisure, rather than having to stare at the screen while huge email laden with images arrives, no idea what's coming, just waiting... Of course, with nPOPw I don't worry about that, what with previews and all :)
bjornkeizers
01-28-2004, 10:39 PM
So far, I haven't had a single one.. either Hotmail is doing an exceptionally good job filtering out this crap, or those little notes I send to people who send me virii [backed up by the cattleprod] seem to have had the desired effect.
aroma
01-29-2004, 01:28 PM
So far, I haven't had a single one.. either Hotmail is doing an exceptionally good job filtering out this crap, or those little notes I send to people who send me virii [backed up by the cattleprod] seem to have had the desired effect.
Actually, the virus purposely avoids hotmail.com (among others)addresses. It won't send to them.
- Aaron
Janak Parekh
01-29-2004, 04:40 PM
Weird. 8O Maybe the author uses a Hotmail account? :lol:
--janak
aroma
01-29-2004, 04:54 PM
What I thought was wierd was that it also excludes some university address as well, such as rutgers.edu and stamford.edu. Weird.
- Aaron
vBulletin® v3.8.9, Copyright ©2000-2019, vBulletin Solutions, Inc.