Ahemmm.... ehrr.. how are you getting along with your hosting company?

not sure what you are asking?

I was having problems with the way my email was set up, but finally found a tech who knew the answer - simple answer, too. Actually, I was speaking with the tech about my set up shortly after receiving these spoofed emails and I mentioned it then. However, he didn't comment on it and I hadn't checked my log files then.

I have a feeling our organization is infected! Can anyone answer these two questions?

1) What is the simplest way to determine if a machine or network is infected? What about looking for the Shimgapi.dll file in the %System%\ directory?

2) Most of the talk is about prevention which is the most important thing. However, what are the options for "removing" the virus from the network? I can always get the tool and use it on individual machines.

Many thanks!

For newhopeinc

I suggest you just follow the steps at either

Norton AV where it is known as "Novarg"
[securityresponse.symantec.com...]

or

McAffee were it is known as "W32/Mydoom@MM"
[us.mcafee.com...]

Then install either of their products with frequent updates on the server and or all machines.

btw I think norton has a download tool which you can install and use to test and fix on a machine by machine basis .. should be pretty straightforward but with infected machines thats often not the case :-)

best of luck .. plus please stop them transmiting while you are checking / fixing them :-)

Hmm... I have been receiving returned emails (that I never sent) that have an attachment called fail.hta. I believe this is a variation of MyDoom.

Mark A.

Thanks for the tips, your suggestions are already in place and I've already read up front to back on NAV's page about the virus. I was looking for a little more. But, from my reading and research ... there really isn't much more that can be done I assume.

Thanks.

This thing is incredible it seems to be actually getting worse. I have received more emails today than on previous days.

Visit Thailand,

I assume we are in the same general business of tourism.

What I find really interesting is that the e-mail we use for reservations is receiving thousands of MyDoom e-mails whereas our webmaster e-mail for another domain that is published on every page of a 100 page site is getting very few. Those viruses that it does get are the M$ ones (forget their designation) or Klez which are self opening.

This seems to indicate to me that "your average user" is still innocent enough to open attachments and not update their AV software on a regular basis whereas the webmaster people don't open attachments but also don't update or don't have AV software.

Tropical Island,

Thats infact whats happening, your average user/holiday maker that has your main general email, will be most lightly be infected duo to the fact most are not clued-up on the internet security industry and how to protect your self adequately.

As for your webmaster email adress on the front page of many sites/pages? will be only receiving contacts mainly for users that have something to say about your site, these people mainly coulb be other webmaster or IT professional and so on, and a trickle of your avg. net surfer.

email siphon systems that crawl the web for meails to spam too will be mainly servers and these will be less lightly to be infected as their supposed to be fortrified with AV/AT apps and firewalls etc and updated regularly by the administrator. Where as a home user will probably have NAV 2003 for arguments sake on dial-up and rn't going to be bothered to download the 4megs or so update file in some cases, which could take several hours to download. So home users for this reason and many more, r several time lightly to be infected as either they don't have a AT/AV utility to deal with viruses & trojans or do not bother with the weekly virus updates.

"Thats my 2cents" as u americans will say.

Keep up the good work WW

> not sure what you are asking?

Sorry. It had indeed been my intention to clarify, but I ran into problems (not virus-related).

In a situation like yours I would have contacted one particular person at my hosting company and asked him if they might have intenal security problems. That may happen to any company. I seem to remember that one member had problems with a dishonest employee at his hosting company and that those problems were solved in cooperation with the owner of the hosting company.

The point most folks miss about this particular virus is the Social Engineering that went into making it more 'openable' to the recipient, than ever before.

( I can't find the exact resource, but it's been said that this virus is the most socially engineered to date and the article speaks solely to that topic ).

Oppose that to what we know about those who ( for whatever reason ) find themselves with an open attachment running rampant on local machine(s). We know many, many folks find themselves in this position. :(

Now throw in the most socially engineered virus and the problem is compounded.

The disparity between those who do ( intentionally or not ) and those who do NOT ( without scanning first ) open attachments is the window of opportunity that needs closing.

There is a way to securely open attachments without antivirus.
You can even detect a virus that is still unknown by using this method, so the best option is to check the attachment with the antivirus and then open it securely using this method.
I supose you will want to know wich this method is, so here it goes:
1st. Chack the attachment and download it without openning. In most systems, it can be done right-clicking the attachment and saving it to disk, instead of clicking it.
2nd. Open it, but without running it. A virus, to work, needs to be run. To run a file, in most systems, you have to double-click it. If the file is not runnable by itself, Windows searches an application able to open it, runs the application, and sends the file to the application to get it opened. For example, if you double-click a .txt file, windows will call notepad and the program will open the file. But if the file is a .txt.exe, then it'll be run. Instead of double-clicking it, it's as easy as launching notepad, selecting to File/Open... and openning the file. Then it won't be run; instead of this, notepad will read it and show it's content on the window. Then you will have it open. If it truly was a text file, you'll be able to read it. If it was a virus, you shall see a lot of strange characters, like ©♀☺↑A@. Then you know that you have to close notepad and delete the file: if it's not a text and tries to seem a text, it's logicall that it's nothing good on that file. If it was a recovered fragment from a message, it will be text, maybe not complete but readable. The same method can be applied to image attachments, opening them from Paint or Paintbrush (W3.x forever! ;)), audio files, videos, etc.
The method can be sumarized in: open the file from it's related application, DON'T RUN it.

Greetings,
Herenvardö

Kaspersky Labs Traces MyDoom to Russia [groklaw.net]

In a story that would completely exonerate the Linux community, accused by SCO of perhaps being behind this week's e-mail virus, the Moscow Times is carrying a story this morning that the first e-mails infected with MyDoom [trace] back to addresses with Russian Internet providers

MyDoom, the fastest-proliferating computer virus ever, has been traced to Russia. Using location-sensing software, Kaspersky Labs has traced the first e-mails infected with MyDoom back to addresses with Russian Internet providers.

Anyone got a procmail recipe for the new strain that uses the random file names? I had one that I thought was working, but it's only catching the old type with the known file names.

yeah, this nasty virus sure clobbered my mail servers. even with virus scanning and spam filtering, couldn't keep up with the sheer traffic.

I finally got sick of it and hacked together my own SMTP server. I thought I would post info here in case somebody with gumption wanted to use the ideas to implement a real live server. might not be anything new, but i have had some luck. my policies in place are a little aggressive but what the hey.

Here is my process of clipping mail before wasting any resources on spam filtering and virus scanning:

1) check source ip against black list. this is pretty common but i eventually want my server to learn which ips are sending bad stuff and react.

2) actually validate the "from" address. i tried actually connecting to the sender's smtp server to validate email, but this was way overboard. basically it restricts incoming from addresses to a simple regex that only likes "normal" addresses, a subset of the rfc spec.

3) compare the country of origin of the source ip to the country location of the email domain.

4) only allow valid TO: addresses, if a valid recipient is not specified in the rcpt to: command then immediately issue 500

5) all error commands reported back to issuing server include telephone number and contact name, in case a real person trying to send a valid email gets clipped and wonders "why?" ;-)

6) store activity in mysql database.

if an email makes it past the gate, then it gets virus scanned and spam analysed/filtered.

so, on thursday i pointed a couple of domains at it to test. carefully watching the activity, haven't seen anything useful get blocked. the nice thing is that after 6,506 emails, 4,868 of them were dropped immediately without ever getting the DATA command. that is 75%. A REAL savings on server load. before, 90% of the mail would come in and have to go through content and virus scanning, which was beyond red-lining the capacity of the machine.

i realize it likely isn't for everyone, but frankly i am sick to death of all the spam and virus infected mails.

take care,

Waitman

MyDoom, the fastest-proliferating computer virus ever, has been traced to Russia. Using location-sensing software, Kaspersky Labs has traced the first e-mails infected with MyDoom back to addresses with Russian Internet providers.

So I'm the virus writer (for arguments sake!).

I upload the virus to some hijacked "zombie" machine.

Done.

Anyone got a procmail recipe for the new strain that uses the random file names? I had one that I thought was working, but it's only catching the old type with the known file names.

A quick G search for 'mydoom procmail' brings up lots, and they work. Wave goodbye to lots of CPU time for a while, however. All I've done is add .zip to the list of usual suspect cruddy extensions that get filtered, at least until this thing abates somewhat.

So I'm the virus writer

Beware what you say...
If it's true, you are helping authorities to find you.
If not, you are risking yourself anyway. Authorities do not care about the truth, only about what can be proved.
I would say what I think of the virus makers (without caring if you are one or not), but I'm sure mods would kill such a post. It won't even pass a spam filter. In addition, the words I'd say would hurt a lot of people's sensibilty, so I'll try to minimize the use of "bad" words:
Virus makers are a plague in the web. They only care hurting without reason, even when they try to justificate themselves with a lot of lies (normallly helped by their advocates), they are only a lot of... ok, I won't go on. No mod in her/his common sense would allow what was comming next, some backspaces and the best part out :(

Greetings,
Herenvardö

PS: Please do not misinterpret me. I don't want to offend mods. Their work consists in removing the barbarities I was going to post, so I simply censured myself ;)

So tomorrow is MyDoomDay for M$. It's a real pity that this virus doesn't exploit one of the many holes in the M$ OS's...

I'm not supporting virus writing etc, but after all the viruses that I (even as a linux user) have been bombarded by that exploit Windoze holes I think it would have been nice to see M$ getting some of there own medicine.

I'm not supporting virus writing

There is nothing bad about writting virus. The problem comes when the virus are set free.
If you're able to create a prety innovating virus, you can send it's source to Norton or McAfee (or both, of course), and the antivirus technology will improve.
I made once a virus that only showed a screen saying:
"If you read this, you have no antivirus software.
This is a virus and it has infected your system. F*** you."
After that, there where some links to webpages that offered free antivirus. The only way to make the screen disappear was to click any of the links or un-plugging the alimentation cable of the computer. In this case, the screen appeared again at each boot, until a link was clicked. I sent it to all my friends and now all of them have some antivirus software ;).
I've nothing against creating viruses, but a lot against using them to harm people.

Greetings,
Herenvardö

I must have received 50-60 emails on my notebook with MyDoom attached, just last night. My Trend Micro took care of it, but that's the most I've received since this virus was released into th wild. People that are running broadband connections and are not using at least anti-virus and a firewall are asking for trouble.

You're an interesting character, Herenvardö...

> Virus makers are a plague in the web [...] even when they try to justificate themselves

> There is nothing bad about writting virus. The problem comes when the virus are set free.

> I made once a virus [...] I sent it to all my friends

> The only way to make the screen disappear was to click any of the links or un-plugging the alimentation cable of the computer. In this case, the screen appeared again at each boot, until a link was clicked.

> I've nothing against creating viruses, but a lot against using them to harm people.

And you seem to think that you're justified in infecting friends' computers and hijacking them until they do what you want? Just because it's in their best interest? You don't consider this the least bit harmful?

If this is what you do to friends, I don't want to even know what you do to enemies... You should take your own advice:

> Beware what you say...

You're an interesting character, Herenvardö...

My virus was completely inocuous! I only tried to show those friends who didn't use antivirus how vulnerable were they. The program didn't even force them to download any software, simply to click a link.
They had said many times that viruses didn't attacked them because they were simply PC users, not a bussiness nor anything like that. I was trying to give them a realistic view that what could happen.
I know my method was not the best, and I even regret to have been reached such an extreme, but I was convinced that it was the best way to protect them.
¿Do you know how most vacunes work? They are an imitation of the virus they are suposed to work against to, but completely inocuous. After detecting strange presence, the immunologic system creates defenses against such a invasor, that can defend the person against the original virus.
So I could say that my virus was not a virus, but a vacune ;)
NOTE: All of the "victims" downloaded, 100% willingly, an antivirus software after that. Most of them even thanked me.
Some even detected a lot of timebombs in their system!
Do you want to see my first virus? ;)
It is an adaptation to Java. I hope you will understand how it works and adapt it to your needs:

public class worm {
_ public worm(){
___ while (1==1){
_____ worm w = new worm();
___ }
_ }
}
//__underscores added to tabulate the text

It simply collapses exponentially all the system resources. It also needs a replication code and some things to make it run when desired. ;)
If I can post here such a code, in a moment, imagine what could do somebody who wants to harm without any reason. That's what I was trying to tell to my friends.

Greetings,
Herenvardö

Unfortunately, I believe Virus protection is not the best thing here:

I use Norton AntiVirus 2003 which is up-to-date as I pay for the subscription. It came with a few months free with the computer. Every time I get a virus sent to me I have to deal with a warning message and manually quarantine and then click finish.

I have tried all the settings including 'Try to repair the silently quarantine if unsuccessful'. It makes no difference. The word silent must mean something different to Norton's programmers to what it would to me.

It has been completely tempting to switch the virus protection off because of the time taken (20 minutes this morning) to quarantine all the emails.

Think about a novice user, Norton may get uninstalled. This only helps the spread of the virus.

PCInk - Get yourself a copy of Mailwasher. It will recognise and delete those virus messages at the server....no need to download them to your pc.

Do a Google search for it....there's quite a few people here that use it.

Oh....and I agree about Norton. If it's got rid of the damn thing it doesn't need to wait for a round of applause each time :)

Thanks Ross, but the whole point is that there will be a lot of users that don't know how to stop AntiVirus doing this. They may not know how to pause AntiVirus. So it will possibly be uninstalled and never put back on. Thus future virus outbreaks may get a good advantage.

Off to find mailwasher...

Wow. You seem overwhelmed. Most of my e-mail inboxes are set up with a white list, so I don't get spam nor viruses. And I'm in my sense enough to do not open an attachment without a lot of cautions, even when I know what the attach contains. So my antivirus has a lot of holydays: it scans what passes through my filters and once or twice a year, a virus is detected and cleaned. ;)
Knowledge is the best weapon for everything!

Greetings,
Herenvardö