Nuovi virus in circolazione

[makpaolo]

Mi è arrivata segnalazione di 2 nuovi virus in circolazione... fate attenzione

A new virus, MyDoom (also called Novarg by some vendors, Mimail.R by others), is erupting on the Internet right now. Network Associates received 19,500 copies of the virus from over 3,400 email addresses in a single hour Monday afternoon, an extremely high rate. MyDoom seems to have been launched today, around 1:00 PM Pacific Standard Time. The virus presents a well-worded message advising that its attachment was necessary because a technical error prevented normal email transmission, a more clever social-engineering ploy than the garden variety "Here, open this." Since this new virus carries a trojan, MyDoom might feel appropriately named to its victims.

Distinguishing Characteristics
A MyDoom e-mail spoofs its sender so that it appears to come from one of your friends, contacts, or a credible institutions such as a bank or phone company. The Subject is randomized. So far we've seen the variations below:

hi
hello
HELLO
error
Mail Delivery System
Mail Transaction Failed
Server Report
status
test
Test
Server Request
MyDoom is so new that the anti-virus vendors have not compiled their list of variations at the time of this writing. There may be other Subjects we haven't listed. MyDoom's body is also random. So far we know of these three variations:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
We believe those credible bodies partly contribute to MyDoom's suceess. They certainly sound like legitimate errors and lead one to believe that the attached file could be the message that your e-mail client can't display. Don't fall for it!

MyDoom uses random attachments that try to look like documents. It uses the following extensions:

.exe
.scr
.pif
.cmd
.bat
.zip <-- (The zip file contains an executable that looks like a document; e.g., doc.txt [lots of spaces] .exe)
Although details are still developing, MyDoom starts like most viruses. If one of your users runs the virus' attachment, it starts by copying itself to his computer and adding registry entries to ensure that it can restart if your user reboots. It also harvests e-mail addresses from a number of different file types and sends itself to others.

According to the latest breaking news, MyDoom also seems to spread through the popular Kazaa P2P, file-sharing application. Other reports indicate MyDoom is engineered to target SCO for a Denial of Service attack.

Finally, MyDoom installs a backdoor by opening a connection on TCP port 3127. This could allow the virus author access to control an infected machine.

This virus has spread so fast that the anti-virus vendors are still researching it. MyDoom's code is encrypted so it may take awhile for the vendors to assess its true scope. We recommend you intermitently check McAfee's alert for the latest developments.

symantec=
http://securityresponse.symantec.com...varg.a@mm.html

e anche

Dumaru.Y and .Z
Zipped Picture Hides
a Malicious Surprise
26 January 2004

About the Virus
Two similar new variants of the Dumaru virus appeared on the Internet this weekend. The first Dumaru virus popped up last August, but did not spread enough to pose a serious threat. However, Dumaru.Y and .Z seem to have taken hold, probably because the virus payload travels as a compressed e-mail attachment. Such an approach may sneak past perimeter filtering, since most adminstrators allow .zip files to enter. If one of your users opens and runs Dumaru's zipped executable, the virus steals the victim's personal information and installs a back door that could allow the virus author full control of your user's computer.

Distinguishing Characteristics
Dumaru Y an Z always look the same. You'll recognize them easily:

From: "Elene" FUCKENSUICIDE@HOTMAIL.COM

Subject: Important information for you. Read it immediately !

Body:

Hi! (In a large, red font)

Here is my photo, that you asked for yesterday.

Attachment: Myphoto.zip <-- (This zip file contains another file called, "Myphoto.jpg [lots of spaces] .exe"

In order to execute the virus, one of your users must first open Dumaru's zipped attachment, then run the executable within. If the user runs the executable, Dumaru installs itself in various locations on the user's machine and creates registry entries so that it can restart upon reboot. It also finds e-mail addresses on your user's computer and sends itself to them, using its own SMTP engine.

Next, Dumaru Y and Z contain malicious payloads. Both viruses log your user's keystrokes and monitor the clipboard. This allows the virus to gather sensitive data which might include passwords, credit card info, or proprietary information about your organization. The virus also monitors connections to egold.com in hopes of capturing user login information for that site. Dumaru e-mails all the data it gathers to the virus author's address, hardcoded within the virus.

Finally, Dumaru installs a back door on your user's computer that listens on TCP ports 2283 and 10000. This allows the virus author to issue instructions to your user's computer, essentially giving the attacker full control of the machine.

According to McAfee, Dumaru.Z differs from Dumaru.Y only in the size of its malicious payload and in that it downloads a spybot from a URL hard-coded within the virus.

What you can do
As always, remind your users never to open unexpected attachments from any source.

Most major anti-virus vendors already have signatures that detect both Dumaru Y and Z. Check with your vendor for the latest update, and make sure you've installed it.

Firebox II / III and Vclass owners should follow the steps below. The SMTP proxy can help.

Suggestions for SOHO owners
If you have a SOHO, your best bet to stop this worm is to get new virus definitions from your vendor. Don't open e-mail attachments unless they contain material you requested or expect. Scan e-mail attachments with your anti-virus software, and open them only if they prove clean.

If you use Outlook as your e-mail client, you might also set up a rule (Tools => Rules Wizard) that deletes all e-mails having Dumaru's "From:" address, fuckensuicide@hotmail.com. This would be a tedious task for large networks because it has to be done at each machine, but administrators of small networks might feel the peace of mind from knowing your users won't have any opportunity to run Dumaru's executable is worth the extra labor.

Suggestions for Firebox II / III owners
The Firebox II and III's SMTP Proxy doesn't block .zip files by default. However, you can follow the steps below to block Dumaru's zip file either temporarily or permanantly. Note: if a future variant of Dumaru uses a different file name, this specific setting will no longer block it.

If you have an SMTP Proxy icon in the WatchGuard Policy Manager, double-click the icon, then go to Properties tab => Incoming => Content Types tab. Click the Add button and type myphoto.zip.

If you don't have an SMTP Proxy icon in the WatchGuard Policy Manager, go to: Edit => Add Service => Proxies => SMTP => Add => OK. Then configure the proxy to block Dumaru.Y and Z by following the steps in the bullet point above.
Suggestions for Vclass owners
Your Vclass does not block .zip files by default. You'll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip the newest Dumaru's .zip attachment. This does not prevent your users from receiving any zip file that has a different name.

If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks Myphoto.zip. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change "Category" to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type ZIP files as the new rule's name, and choose "Pattern Match." Next to Pattern Match, type Myphoto.zip and select Strip as the Action. Now you can apply this new Proxy Action to your SMTP rule to ensure Dumaru Y and Z are blocked.

symantec =
http://securityresponse.symantec.com...oval.tool.html

Questo è un vero virus, non la cagatina ke avevo creato io. Da quello che ho capito, se non tocchi gli allegati non dovrebbe funzionare, giusto?

[makpaolo]

se non tocchi gli allegati non dovrebbe funzionare, giusto?

esatto, comunque per il primo è consigliabile ( se si ha un firewall) chiudere per precauzione la TCP port 3127.

ne hanno di fantasia con le porte.. una in meno dello squid :)

fantasia o meno, rompono solo le @@ :?

Non e' esatto quanto dite degli allegati.

Se la mail che vi arriva e' in HTML e voi usate Internet Explorer il virus si puo' lanciare automaticamente usando il (vecchissimo) exploit "iframe".

Non parliamo poi se usate un programma di posta come Outlook :?

Io ho un buon firewall, un buon antivirus e uso firebird.... mai beccato uno di questi virus. E tenete conto che visto che li studio tutti i miei amici "linuxisti" me li spediscono quando ne trovano uno.

Oggi invece ho ricevuto quello che il mio antivirus chiama W95/Spaces.1445.B

ma va detto che AntiVir ha sempre dei nomi suoi... mah.

Comunque i virus non sono pericolosi se sapete come trattarli, anzi: spesso offrono soluzioni molto interessanti dal punto di vista del loro studio.

Pensate ad esempio ai virus polimorfici: a loro si deve la tecnica anti reverse-engeneering che permette di creare un codice che si automodifica in fase di esecuzione. E' una delle tecniche considerate piu' sicure e avanzate in fatto di protezione dei software e di fatto deriva proprio dai virus.

Come dire: cio' che non uccide rende piu' forti :D

[Ospite]

dumaru e novarg.... me li ritrovo ogni giorno nella mia mail (meno male che me la disattivano.....)
odio questi virus che si mandano ad indirizzi letti su file .htm e .txt !!!!

novarg poi ... me ne sono arrivate 5 tutte infette una delle quali addirittura da il mio stesso indirizzo e-mail e 2 inviatemi a 7 bit e quindi illeggibili

e pure sta volta c'è il taglione da 250000 dollari sulla testa del creatore

e pure sta volta c'è il taglione da 250000 dollari sulla testa del creatore

Per quella cifra io mi consegno 8)

[Alessandro1]

lol

me ne arrivano 3-4 al giorno, ieri mi è arrivato my doom o come si chiama...

io ho aperto l'allegato .zip, dentro c'era un file .scr ma nn l'ho aperto, ci fa qualkosa?

cmq mi arrivano e-mail che mi dicono in inglese, che ho virus, sarà vero?

ora installo 6-7 antivirus ahuuahuha

Kome dice kevin, "ciò che non conoscete vi può danneggiare!"

bhe la SCO se lo può permettere... anche perchè fino al 12 febbraio sembra che questo sia vero


Other reports indicate MyDoom is engineered to target SCO for a Denial of Service attack.