Welcome to WebmasterWorld Guest from 54.196.214.35

Forum Moderators: phranque

Message Too Old, No Replies

New Virus Running Novarg Worm

     
12:49 am on Jan 27, 2004 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38048
votes: 12

12:52 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 6, 2002
posts:742
votes: 0


Oh yes, I've seen them coming in the past couple of hours. Anti catching them all, but they are spreading around.
1:15 am on Jan 27, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Apr 18, 2003
posts:305
votes: 0


Yeah, the only thing worse is the huge amount of MSN picture hacking going on
1:22 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 29, 2002
posts:1819
votes: 0


Thanks Brett - here is symantec's take:

securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

We have received a whole load this morning.

1:24 am on Jan 27, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 27, 2003
posts:49
votes: 0


Yes. I don't normally get these, but this one I'm receiving at random addresses for one of my domains.

also: msn picture hacking? care to elaborate?

1:50 am on Jan 27, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Nov 30, 2002
posts:225
votes: 0


OMG--I'm getting tons of e-mails since this afternoon with .zip attachments saying the message could not be delivered.

I hate new virii...they fill up my email for weeks until people finally figure out they are the ones with it.

2:47 am on Jan 27, 2004 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:14487
votes: 49


They're trickling into Japan now...<yuck>
2:51 am on Jan 27, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 8, 2003
posts:126
votes: 0


This is the first day back at work in Taiwan (after Chinese New Year holiday). Mailboxes will be full and people are bound to open emails with less precaution than usual. I expect this will dramatically compound the problem.
2:53 am on Jan 27, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Nov 30, 2003
posts:249
votes: 0


I'm getting clobbered.
2:56 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 3, 2003
posts:805
votes: 0


15 per hour here in Australia
3:01 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 1, 2003
posts:1201
votes: 0


Im getting 100s an hour. The spoofing is going to victimize alot that are unaware.
3:15 am on Jan 27, 2004 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38048
votes: 12


Getting hammered here - turning of email functions on WebmasterWorld for the time being.
3:29 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 6, 2002
posts:742
votes: 0


I hope it's ok to post this message from SPAMCOP.NET.

[19:13 EST] A new virus, alternately called Mydoom or one of the Mimail variants, is spreading quickly this afternoon. It was apparently first picked up by the virus labs the middle of this afternoon (EST). At 6:15 p.m. EST our antivirus software company issued a new data file which catches it and our automatic update procedures picked up the new virus definitions at 6:47 p.m. At this point, all SpamCop email is protected from the virus but there were a few hours this afternoon between the introduction of the virus and when we get the new definitions where the virus was delivered to email accounts. As always, don't open attachments you haven't requested, even if they appear to be from people you know.
3:39 am on Jan 27, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 5, 2003
posts:636
votes: 0


This one is particularly nasty. I have yet to see it (thank God for server level spam filters) but I don't expect to go for too long before someone I know is infected.

Hey, at least it DDOSes sco.com. Not that I agree with cybercrimes but I couldn't think of a better company to do it to.

3:45 am on Jan 27, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Apr 18, 2003
posts:305
votes: 0


sidewinder:

MSN picture hacking. Someone got into my profile and hacked my picture. They knew I was jewish and put nazi material all over it. They even knew where I lived...

I don't think they hacked my entire profile as none of it was changed. My friend had his hacked too, so I know it's some kind of new microsoft vunreability, maybe in the .net framework or server apps.

I posted about it but no one really seemed to care.

3:58 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 29, 2002
posts:1819
votes: 0


Question: How do I delete or block all emails at the server level (for the whole server not just individual domains) which have an attachment of .exe .pif or .scr?

I do not mind if the attachment and email are deleted just want them gone.

What is the best software to use?

4:54 am on Jan 27, 2004 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5817
votes: 64


Mcafee says when the attachment is run, it creates a file named: taskmon.exe

Does Windows already have a file by that name, because I found that file.

4:55 am on Jan 27, 2004 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:14487
votes: 49


taskmon.exe is a standard Windows file. I wouldn't kill it if I were you.
4:56 am on Jan 27, 2004 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5817
votes: 64


Thanks Bill, that's what I wanted to know (wipes his brow...)

5:00 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 29, 2002
posts:1819
votes: 0


I noticed that too, wonder how many people think ahh and kill their real task manager!
5:24 am on Jan 27, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Nov 30, 2003
posts:249
votes: 0


Hint: do a Google search on taskmon.exe
5:28 am on Jan 27, 2004 (gmt 0)

New User

10+ Year Member

joined:Oct 28, 2003
posts:23
votes: 0


Thanks for the warning guy's.
6:28 am on Jan 27, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2002
posts:385
votes: 0


Yep woke up 6:30 this morning received an alert from Norton, updated it, and blocked all .pif,.bat,.scr,.exe,.zip,.bas and few others at the server so I wont receive it.

However I did get one email with a very suspicious attachement which I deleted. That was before I put a block on the server.

Never seen something move so fast, i mean I finished last night at 11:30pm woke up at 6:30am and I receive many alerts!

This one will hurt people!

All webmaters should look into blocking attachments at the server. Their are many attachments these days I don't require people to send me.

If your on a commercial basis like .com .net etc then it would be wise to look into it.

I have managed to block so many unwanted attachements..

Take care guys!

7:54 am on Jan 27, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Dec 8, 2003
posts:548
votes: 0


I can only say that I am very happy to have implemented my own custom anti-virus measures years ago on my mail server. It's simple but effective: I simply block all types of executable attachments that I know of.

If someone wants to send us an executable attachment like a self-extracting zip archive, they have to put a special text in the body.

The problem with relying on auto-updating AntiVirus Software (which I also use) is that some viruses spread faster than the auto-updates.

8:37 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 28, 2003
posts:925
votes: 0


I suspect it abuses one of my domains as email in the from-header for replicating. Besides the official virus mails I get bombed with "Virus removed" mails.

Anyone having the same problem?

8:49 am on Jan 27, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2002
posts:385
votes: 0


I suspect it abuses one of my domains as email in the from-header for replicating. Besides the official virus mails I get bombed with "Virus removed" mails.

Only 1 of my domains also, but this was before I placed my block not sure if the block would stop it or not.

Our block only stops the email arriving to our computers, maybe if someone who was infected and had your email address in their address book, it would then send the virus to someone else and it would appear from you. Then a warning message is sent to your email address even though your not the original sender.

9:07 am on Jan 27, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 26, 2002
posts:81
votes: 0


Just started here in Switzerland... I made a special fitler for my mail server, really annoying!

- swizz

9:18 am on Jan 27, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


How do I delete or block all emails at the server level (for the whole server not just individual domains) which have an attachment of .exe .pif or .scr?

Ah, but this baby is a .zip file which unzips to .pif. That makes it trickier.

9:24 am on Jan 27, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:May 15, 2002
posts:542
votes: 0


Yeh im in UK and started to recieve this virus yesterday.

So far have managed to stop it with mailwasher and Norton.

I hate these virus ppl grrrrrrr :¦

9:26 am on Jan 27, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2002
posts:385
votes: 0


Ah, but this baby is a .zip file which unzips to .pif. That makes it trickier.

Yes, for the first time I am blocking the Zip files.

I would say 90% are being blocked at the moment but some still manage to get through.

I received one with

.htm

which surprised me and yet NAV says:

.pif
.scr
.exe
.cmd
.bat
.zip

This 116 message thread spans 4 pages: 116