The current computer virus threat. **(updated late 1/28)**

[Dan Murphy]

http://www.msnbc.msn.com/id/4065701/

I did receive several of these Novarg emails yesterday, maybe 4 or so, but anti virus nailed them, no harm done. Just an FYI.


http://securityresponse.symantec.com/

http://us.pandasoftware.com/

http://www.microsoft.com/security/protect/default.asp

http://v4.windowsupdate.microsoft.com/en/default.asp

 

[iNTeNSeBLue98]

Our tech dept at work made us aware of these this morning. Thanks for the warning Dan.

 

[iluvdisney]

Thanks Dan - I hate those worm viruses.

 

[meeshi]

Wow, thanks Dan! I received an email this morning with the subject "hello" and I almost opened it, but wasn't sure who the sender was, so I just deleted it. I was tempted to open it... I'm really glad I didn't!

 

[TammyNC]

Thanks for the heads up. I haven't received anything so far, but will keep my eyes open. I have got to update my anti-virus software.

 

[KathyTX]

It doesn't harm anything if you open the email, but DO NOT OPEN THE ATTACHMENT!

And go update your virus scan definitions today! Right now!

 

[nativetxn]

YIKES, thanks for the heads up, Dan

 

[WilmaBud]

I received one of these messages today, but my anti-virus detected it. I don't get why people get their jollies doing things like this.

 

[Harley Chick]

Many thanks Dan. We received one of these messages this morning that was NOT contained by our anti-virus software (even though we updated definitions last night). Because of your post, I was able to alert my users, find the email, and delete it before the attachment was opened. It would have been a miserable day if that were to happen. Once again Dan the Man saves the day!

 

[FloridaCat]

Like always, you are on top of it. Thanks again

 

[Melora]

Jeff has gotten numerous "Hello" emails since yesterday. He never opens the attachments but he says you can tell when there is something not right because when you hover you pointer over the paperclip it doesn't tell you the name of the attachment and thats a BIG warning sign. He wouldn't open it anyway, he deletes the mail and then deletes it again from the "deleted messages" box.

I don't get ANY junk mail on my computer..I have no idea why but Im very glad!!

 

[Cruise04]

I got one today from someone that I even know. And the subject said Test. I opened the email but then I quickly found out not to open the attachment, which was a good thing!

 

[Rajah]

I got about 6 of them last night, including several "from" people I know, and my AV did *not* catch them yet. Guess what I'll be updating when I get home.

 

[JC2]

Thank you Dan!

 

[Dan Murphy]

With this one seemingly getting worse, though a bump might be helpful.

 

[mickeyfan1]

Especially for the reminder to update NOW. Even though my Norton does it weekly, I went ahead and did the live update, sure enough the Novareg (or what ever it's called) update was there. I have not gotten any of the hello, test, etc messages, and hopefully won't.

 

[IloveDMB]

I also had a couple of those e-mails. It was about a returned e-mail. I didn't understand. I changed my password, thinking that someone had gotten it. Now I see it was the virus thing.

Thanks for the heads up, Dan.

 

[Dan Murphy]

From MSNBC News

And from one of my anti virus services......

The Mydoom.A worm is causing one of the biggest
epidemics in computing history. Latest statistics indicate that one in every
twelve e-mails in circulation is carrying this malicious code. This figure
significantly exceeds that reached by Sobig.F (1 in every 17) last summer
and which, up until yesterday, was considered the fastest spreading virus
ever.

According to data collected by Panda Software's online antivirus, Panda
ActiveScan, Mydoom.A has infected six times more computers than Bugbear.B,
the second virus most frequently detected.

Similarly, it has been estimated that 300,000 computers worldwide, including
thousands of companies, have been infected by Mydoom.A.

Mydoom.A is designed to attack and saturate networks of any size. It also
creates a backdoor in the infected computers which could allow hackers to
steal or compromise key corporate data. Furthermore, according to the latest
data obtained by PandaLabs, this backdoor also allows a file to be dropped
on the affected computer, which when run, allows attacker to access network
resources.

Even if antivirus solutions are working correctly, blocking and cleaning
e-mail carrying Mydoom.A, it is recommendable to take other measures to
avoid the effects of this worm, as Mydoom.A can get into computer through
many different means, such as web mail downloaded directly to the mail
clients on workstations or laptops computers that sporadically connect to
the network and could be infected.

If this happens, the worm will be installed on the network, compromising
network security.

This is where firewall protection comes into play, as it controls
communication ports and prevents suspicious data from entering or leaving
the computer, and therefore, the use of the backdoor that Mydoom.A creates
on computers.

What's more, if the rest of the workstations do not have adequate antivirus
protection installed, the worm will spread rapidly across the network,
bringing it to a standstill, no matter how well protected the mail server
may be.

For this reason, Panda Software recommends network administrators to check
the following:

- Make sure that the antivirus protection in all the workstations and
servers across the company, and on mail servers in particular, is updated
and running.
- Supervise non-networked computers, such as laptops, which could connect to
the network.
- Make sure that the antivirus protection installed on servers and mail
servers is correctly configured. To protect against Mydoom.A, a good policy
to put in place is to delete any file with a .pif, .scr, .exe, .cmd or .bat
extensions, as well as any other file with a double extension. Similarly,
.zip files must be scanned and any zip files that contain executable files
should be deleted. These measures will vary depending on the needs of each
company, and therefore should be implemented with care and in line with the
corporate security policy.
- Monitor the firewall activity, and particularly ports 3127 to 3198, which
are those used by Mydoom.A to carry out its actions.
- Immediately disconnect from the network any computer suspected of being
infected by this worm and disinfect it. You can do this using the PQremove
utility that Panda Software offers all users free of charge at
http://www.pandasoftware.com/download/utilities
- Carry out a full scan of any computer that could have used an uncontrolled
wireless connection.
- Prevent users from downloading messages received through web mail to their
computers.

Panda Software has already made the updates to its products available to its
clients to ensure their solutions can detect and eliminate Mydoom.A. Even
though Panda Software's products can be automatically updated every day,
those whose software is not configured to update automatically, should
update their solutions from http://www.pandasoftware.com/.

Panda Software also offers users its free, online tool Antivirus Checker,
which will inform you of the protection status of your computer. This tool
specifies whether an antivirus is installed, which one and if it is updated,
and therefore keeping the computer safe from viruses. Antivirus Checker is
available at: http://www.pandasoftware.com/protected

Users can also detect this and other malicious code using the free, online
antivirus, Panda ActiveScan, which is available on the company's website at
http://www.pandasoftware.com/.

More detailed information on Mydoom.A is available from Panda Software's
Virus Encyclopedia, at
http://www.pandasoftware.com/virus_info/encyclopedia/.

Even though incidents caused by Mydoom.A.worm are
still on the rise, PandaLabs has already detected variant B of this worm:
Mydoom.B.worm.

This new variant is even more dangerous than its predecessor, as it is
designed to prevent several antivirus programs from updating correctly.
This, nevertheless, does not affect Panda Software antivirus solutions.

Like Mydoom. A, the new worm is designed to attack and saturate networks of
any size. To do this, it searches e-mail addresses in the Outlook Address
Book as well as in computer files with the extensions: .htm, .sht, .php,
.asp, .dbx, .tbb, .adb, .pl, .wab, .txt. Then, the worm uses its own SMTP
engine to send itself by e-mail. Mydoom.B.worm also spreads via KaZaA.

Mydoom.B.worm also modifies the Windows hosts file. By doing this, it
manages to redirect certain Internet addresses -including those of several
antivirus vendors - so that, when users try to access them, the Internet
browser shows an error message indicating that the page could not be found.
In this way, it prevents several antivirus programs from updating properly.

Unlike Mydoom.A, this new malicious code has been designed to launch DoS
(Denial of Service) attacks against the Microsoft Corporation servers.

Panda Software has already made the updates to its products available to its
clients to ensure their solutions can detect and eliminate Mydoom.B. Even
though Panda Software's products can be automatically updated every day,
those whose software is not configured to update automatically, should
update their solutions from http://www.pandasoftware.com/.

Users can also detect this and other malicious code using the free, online
antivirus, Panda ActiveScan, which is available on the company's website at
http://www.pandasoftware.com/.

Finally, the epidemic caused by the Mydoom.A worm shows no signs of
cooling. The number if infected e-mails that are in circulation is
continuously increasing, which means that the possibility of becoming
infected by Mydoom.A is still very high. Mydoom.A.worm has infected seven
times more computers than Bugbear.B, the second virus most frequently
detected by the online antivirus Panda ActiveScan.

Everything seems to indicate that the writer or writers of these two worms
aim at putting as many copies of their creations as possible in circulation.
In this way, on the dates when the denial of service attacks are set to
occur, there will be more possibilities for these to be successful.

Detailed technical information on Mydoom.A.worm and Mydoom.B.worm is
available from Panda Software's Virus Encyclopedia.

More detailed information on Mydoom.A.worm and Mydoom.B.worm is available
from Panda Software's Virus Encyclopedia, at
http://www.pandasoftware.com/virus_info/encyclopedia

 

[Twinks]

Help I am very concerned about this............

I opened an email that I was expecting with attachment. There were 2 attachments the mp3 and the same file name with zip on the end. I opened both as I was expecting it. The mp3 fine. The zip downloaded and when I went to where it was stored, it was the zip file and the notepad document. The notepad doc had my daughters name on the top, and was 1 line only of letters. The zip file when I clicked on it immediately said windows couldnt open it as it was possibly corrupted. At the same time my Norton AV came up from bar, but went down again before I could read it.

My Norton is updated and is the current 2004 AV, I have scanned twice and nothing. Also used McAffee which shows all files clean. However, clicked on the Panda link above this morning and it is showing me - guess what - page cannot be found. I have had about 8 virus emails sent but all have been deleted without opening. I wouldnt have opened this one if it wasn't something I was expecting.

For those of you that are far more computer literate than I, does it sound as though my AV caught it? I also have zone alarm pro. Situation also complicated by my email provider not supporting POP3 and zone alarm only scans attachments if you are POP3!

HELP!

 

[Dan Murphy]

Originally posted by Twinks
..However, clicked on the Panda link above this morning and it is showing me - guess what - page cannot be found......

Retry those now, Twinks. There was a period there in error.