When people will learn?
Never doubleclick an unknown atachment!
Simply download it and drag it to the program it's supposed to be open with, and it won't be able to exe, only will be read. And if the file is not run, it can not attack!
Other way to keep safe: once again, using LiNUX or any non-DOS system. These systems are not able to run an .exe by themselves, and if they call an emulator, you shall be advised. And even so, if the file runs under a non-DOS system, I don't believe it will be able to put anything in the "windows system folder" XD

Greetings,
Herenvardö

Simply download it and drag it to the program it's supposed to be open with, and it won't be able to exe, only will be read.

This will NOT protect you from all viruses.

Some viruses (for instance Word macro viruses) want you to open them in the "program it's supposed to be opened with" - that is how they spread.

> maybe if someone who was infected and had your email address in their address book

The virus/attacker uses all kinds of <firstname>@example.com. I see names I've never ever sent an email from.

Obvously it tries to vary the senders found in an adress book.

I've been getting hammered with them over the past hour or so now here in the UK. Also getting swamped with scores of Mail Undeliverable messages, my domain is being used for the spoofing, about which I am seriously p'd off...

W32.Novarg.A@mm is a Category 4 mass-mailing worm which arrives with a .bat, .cmd, .exe, .pif, .scr, or .zip attachment.

well am glad i setup exchange to filter those attachments out among others.

Getting hammered here in Spain, but our AV protection is holding up.

Started getting hammered here in UK at midnight Monday.
AVG Anti <seems> to be catching them.

Many emails are coming to address@mydomain.com - yet the only place that this email appears is in the message header of emails we send & I think about 5 have been sent in total with that address so why might that domain be getting hammered?

All clues welcome :)
J

Or...

Get a Mac.

I started receiving these on January 24th. At first they didn't have the virus payload...just a subject of 'hi' or 'hello'. It was only since yesterday that the virus was attached.

What gets me is why I get all of these returned e-mails when the sender (my adress or domain) has been spoofed.

Well, everyone here seems to have caught it, but anyone know what kind of damage is does yet?

I have a manager here who runs the mail on the night shift.. i just KNOW he is going to click on it.. he just cannot resist.. i hope the virus software he has caught it, or i am going to do some mopping up today. (sigh)

Get a Mac.

Isn't that like shooting yourself in the head for a runny nose?

;)

What luck... Over the weekend I did an upgrade from W98 to W2KPro. It didn't go well at well.. the SP4 update crashed right toward the end. My NAV application has been dead in the water - can't remove the old one, can't install the new one - sigh! Printer drivers are all messed up....

So an online virus check is turning this thing up all over my system. The boss says he didn't open anything in the mail, but let's see... yes, I want to bed yesterday long before this thing started to hit, and I found tons of infected mail this morning... some of them already opened.
Oh well, looks like Monday all over again.

Thank goodness I'm not the paranoid type, I might be feeling like someone was out to ruin my day :)

grandpa

Damage? According to the article posted by Brett:

McAfee calls theirs "W32/Mydoom@MM"

Remote Access Component

The worm (this functionality is in the dropped DLL) opens a connection on TCP port 3127 (if that fails it opens next available port up to port 3198). The worm can accept a specially crafted TCP transmissions. On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.

Denial of Service Payload

On the first system startup on February 1st or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against the sco.com domain. This denial of service attack will stop on the first system startup of February 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127.

Symantec calls theirs "W32.Novarg.A@mm"

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

The worm will perform a DoS starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.

Are we talking about two, or one?

Man... we are getting slammed by this virus-- fortunately our firewall kills all executable attachments and afterwards our emails are funneled through an antispam/antivirus system.. the users never even get a chance to click on the attachment, all they get is the email with a note saying the attachment was deleted.

Why doesn't everyone do this? :P

>Why doesn't everyone do this? :P

Why do so many people still feel compelled to use Microsoft LookOut!, errr... Outlook?

Turning the catch all off on a couple email addresses has lowered my volume to only about 1/hour. Seems 99% of the ones I was receiving were only being mailed to random names at mydomain.

phew .. so glad to see I am not alone :-)

No Norton AV pro 2004 machines infected as far as I can tell but one mcafee machine was and its most relevant domain is being hit hard now by this worm.

So glad there are others affected .. I thought some spotty teenager with a keyboard had just decided to waste my time .. specifically me!

what makes me quite angry .. is that

from Norton

"Sends to email addresses found in a specified set of files. It ignores email addresses that end in .edu. "

so either it was a student ... or anyhow why should they be spared! :-)

For spam protection at server level and any other level look into (I hope this is allowed to be posted in this situation)

CommTouch Software Inc
Email: stopspam@commtouch.com
Web Site: [commtouch.com...]

Hollywood - SEO

pendanticist: Are we talking about two, or one?

This latest virus goes by the following names:
W32.Novarg.A@mm [Symantec], W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], and others...

There's been talk of the big AV companies co-ordinating their Virus names lately. On big outbreaks computer users often hear of more than one name of a virus outbreak and it causes even more panic...

> Get a Mac.

PC or MAC, won't make a difference while drowning in mail :)

On big outbreaks computer users often hear of more than one name of a virus outbreak and it causes even more panic...

Which means they sell more of their products. Can't see them going for that.

2odd...

> Delete spam at the server (and bounce it if you like)

There is a new version with KDEs mail client that can bounce messages after you have fetched them.

Doesn't make sense in a worm situation, though.

<Doesn't make sense in a worm situation, though.>

Makes you feel better for some reason :)

For those using procmail, this is the rule that dumps them for me:

 :0 B :
* 1^0 ^AAEANgAAACZYAAAAAA==$
* 1^0 ^ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAuc2NyUEsFBgAAAAABAAEAhAAAAHRYAAAAAA==$
/dev/null

(Watch for line wrap, the second and third line both start with "* 1^1" and end with "==$")

So far I have seen them with two variations of the payload, and the patterns above are the last line (base64 encoded) of each one. I checked my mail archives to estimate the risk that any legitimate attachment would include one of those lines, and didn't find anything. Your mileage may vary.

My norton has been catching them at the server as well today.

For the guys running Mailwasher, what filters have you set up to blow this thing off the server?

So far so good here. Anti-virus scanning at the server level has kept us from letting it through to users. My two local machines haven't seen any sign of it so far...keeping my fingers crossed.

Moving REAL fast. My ADMIN tells me he's never seen a virus beat the definition update before.

Think i figured it out - just have it delete anything except for 'specific' 'to' addresses.

Like you said above, it seems to just pick random names:
joe@domain.com
steve@domain.com
cindy@domain.com
etc.

There's been talk of the big AV companies co-ordinating their Virus names lately. On big outbreaks computer users often hear of more than one name of a virus outbreak and it causes even more panic...

Thanks, canuck :)