update A mass-mailing virus that quickly spread through the Internet on Monday planted a file that will instruct infected computers to attack the SCO Group's Web server with a flood of data on Feb. 1.

The virus--known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies--arrives in an in-box with one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment."

"It's huge," said Vincent Gullotto, vice president of security software maker Network Associates' antivirus emergency response team. "We have it as a high-risk outbreakvirus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company has already shut down its e-mail gateway to stop the virus.

Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting Feb. 1, a virus researcher said on the condition of anonymity.

The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

The company's Web site was slow to load on Monday afternoon, a SCO spokesperson acknowledged, but the site was still accessible from the World Wide Web.

SCO's Web site was taken offline by denial-of-service attacks a handful of times in the last year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathizers for at least one of the attacks.

Antivirus companies were scrambling on Monday afternoon to learn more about the virus, which started spreading at about noon PST. The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP.

"A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.

The virus installs a Windows program that opens up a "back door" in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.

The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Early data indicated an epidemic several times the size of the Sobig.F virus, which caused widespread infections last summer, said Scott Petry, a vice president of engineering at e-mail service provider Postini.

"At its current run rate, we will trap almost 8 million in a day," Petry said. The company quarantined only 1,400 copies of Sobig.F in its first day and 3.5 million copies of the virus during that epidemic's peak 24-hour period.

Mail systems that remove executable files from e-mails can stop the program from spreading.

no one open any weird email attatchments if you did before

Even though I have not read the entir post, this is a good thread QJ. This is a high risk virus. If you have an antivirus program, update it. NAV should be updated 1/26/04, if not, you are vunlerable.

More info and removal tool.
http://vil.nai.com/vil/content/v_100983.htm

O geez I think I got some of those today???? Didn't open them though, better go delete all that crap:mad: Thanks for the info Tina:cool:

for this virus to attach it self to your computer is it just the email that needs to be opened or is their a file in the email its self?

If you get it use this CLICK HERE (http://vil.nai.com/vil/stinger/)

Works great,

Paul

Originally posted by MILF_HUNTER
for this virus to attach it self to your computer is it just the email that needs to be opened or is their a file in the email its self?

A file within the email, opening or reading the email alone will not propogate it.....


more info....

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

uhh oohhh... hehe just kidding i didnt open it. i hope noone on here gets it

I opened mine!:mad: I got it yesterday and it was from somebody (I don't want to put his name)@ama-cycle.org. I thought it was a legitimate email for work and I opened it!:mad: :mad: What exactly does it mean that it leaves a back door open? (Yes, I am computer illiterate):confused:

i dont check my email :D

Originally posted by Tina
What exactly does it mean that it leaves a back door open? (Yes, I am computer illiterate):confused: dont blame that person if you know them for sending you the virus on purpose..it attaches itself to any e-mail addresses found in their book 7 automatically send them e-mails so they didnt do anything...now, I believe "leaving the back door open" is where your computer is pushing information & takinbg in information without you knowing about it....its kinda scary

Originally posted by Jumbo747
dont blame that person if you know them for sending you the virus on purpose..it attaches itself to any e-mail addresses found in their book 7 automatically send them e-mails so they didnt do anything...now, I believe "leaving the back door open" is where your computer is pushing information & takinbg in information without you knowing about it....its kinda scary

I don't blame anyone but myself, I know that it works like that, my computer is now sending it to everyone in my address book.:mad: It just looks so normal this time. Usually its from hjklzx@whatever.com then for subject it says A funny game for you or something weird and you can tell it's a virus. This one said hi, and we get a lot of legitimate emails that just say hi and I fell for it.:mad:

I aint to worried about it. I have all my stuff backed up. Worst case, Nuke the hard drive and clear the C-Mos and re install windows!

Originally posted by seven
I aint to worried about it. I have all my stuff backed up. Worst case, Nuke the hard drive and clear the C-Mos and re install windows! what the heck is C-MOS:huh :o .....Its pretty scary to think someone can get all this private info, credit card Access ect.........:confused: :( I guess this virus is working VERY FAST..........Hope I dont get it.......:mad: I just got my computer back to running batter last week........

Originally posted by QuadJunkies
what the heck is C-MOS:huh :o .....Its pretty scary to think someone can get all this private info, credit card Access ect.........:confused: :( I guess this virus is working VERY FAST..........Hope I dont get it.......:mad: I just got my computer back to running batter last week........



My computer got all messed up about 2 weeks ago and we had to bring it in to the shop. They said that it had a virus and had to whip the disk clean....Hopefuly I won't catch this virus eaither, seeing as how I have only had my computer back for about a week also:mad:

I ran a scan and it said I had 6 infected files and it deleted 4 of them. Then I restarted and scanned again and it said I had 1 infected file and it could not be repaired. My question is how do I delete it? Can I just delete it from the winzip folder? This is what it said the second time I ran the scan:

McAfee AVERT Stinger Version 1.9.8 built on Jan 27 2004

Copyright (C) 2002-2003 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Jan 27 2004.

Ready to scan for 37 viruses, trojans and variants.



Scan initiated on Tue Jan 27 21:07:26 2004

C:\WINDOWS\Temporary Internet Files\Content.IE5\VYC3R9WX\document.zip\DOCUMENT.H TM .EXE

Found the W32/Mydoom@MM virus !!!

C:\WINDOWS\Temporary Internet Files\Content.IE5\VYC3R9WX\document.zip could not be repaired.

Number of clean files: 87707

Number of infected files: 1


Does anyone know how I can get rid of this and will that "close the back door"?

Thank you.
Tina

Originally posted by Tina
I ran a scan and it said I had 6 infected files and it deleted 4 of them. Then I restarted and scanned again and it said I had 1 infected file and it could not be repaired. My question is how do I delete it? Can I just delete it from the winzip folder? This is what it said the second time I ran the scan:

McAfee AVERT Stinger Version 1.9.8 built on Jan 27 2004

Copyright (C) 2002-2003 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Jan 27 2004.

Ready to scan for 37 viruses, trojans and variants.



Scan initiated on Tue Jan 27 21:07:26 2004

C:\WINDOWS\Temporary Internet Files\Content.IE5\VYC3R9WX\document.zip\DOCUMENT.H TM .EXE

Found the W32/Mydoom@MM virus !!!

C:\WINDOWS\Temporary Internet Files\Content.IE5\VYC3R9WX\document.zip could not be repaired.

Number of clean files: 87707

Number of infected files: 1


Does anyone know how I can get rid of this and will that "close the back door"?

Thank you.
Tina

Assuming that the document.zip is the file infected, you can just browse to it and permently delete it. (Hold your shift key and hit delete at the same time, it bypasses the recycle bin and deletes for good)

Also....make sure you go to windows update site to apply any security patches to the operating system you are using.....this can potentially protect vulnerable ports.

Finally invest in some good antivirus software and make sure to keep it updated!! I prefer Norton, it seems to work best!:)

Thanks for the great info! I'm going to do that right now.

Thank you!!:)

Thats good info, I ran my virus scan last night & it said I had like 8 files that couldn't be cleaned so I just deleted them?? I should probalby go back in & see if they are gone?? Thakns if you can help, BTW it didnt' say it found any virus'

Originally posted by Tina
Thanks for the great info! I'm going to do that right now.

Thank you!!:)
;)



I know with Norton, it is setup to quarantine infected files that can not be repaired. Then all you have to do is go in and manually delete them.

Dirtmomma, just run a virus scan one more time to make sure nothing reports, and if your system seems to run alright after deleting those files, I wouldn’t worry about a thing!
:cool:

Here is the exact discription of the DOom Virus.
http://vil.nai.com/vil/content/v_100983.htm

Basically this is how I looked all day...:huh

But, after hours and hours of downloading, scanning, removing, updating, restarting and deleting, I think I finally got rid of it! The last scan I ran said no virus found!!


Thanks ya'll for your help!
Tina

Our mailserver here started catching it at about 3:00 MST on 1/26. Since we have been blocking about 8 copies a minute. It hasn't let up at all in the past 24 hours.

Originally posted by Tina
Basically this is how I looked all day...:huh


Thanks ya'll for your help!
Tina
LOL thats funny Tina :D I've looked like that plenty a day hahaha
Well I think I got lucky cuz I ran my virus scan again & there were no infected files found so thats cool!!!!

Also, Grisoft.com has AVG Virus Scanner that is free and works really well. I have no complaints with it.

Originally posted by xr50layke
i dont check my email :D yeah same here. when all this is over with, it will take me 2 days to get halfway to the bottom

Originally posted by dirtmomma
LOL thats funny Tina :D I've looked like that plenty a day hahaha
Well I think I got lucky cuz I ran my virus scan again & there were no infected files found so thats cool!!!!

LOL, usually it's the kids that make me look like that. I just got another email almost identical, I sure hope it wasn't important....
If nothing else, I did get a lot of house work done in between downloads and scans!

Originally posted by gojk
Our mailserver here started catching it at about 3:00 MST on 1/26. Since we have been blocking about 8 copies a minute. It hasn't let up at all in the past 24 hours.

what do you use? Mail essentials, NEMX?

We use the Postfix MTA with AMaViS-new passing the e-mails through clamav and back to Postfix for final delivery.