Spyware Warrior

[suzi]

New Worm Spreading Rapidly Across

http://story.news.yahoo.com/news?tmpl=story&cid=582&e=1&u=/nm/20040127/wr_nm/tech_internet_worm_dc

Security experts warned on Monday about a new virus outbreak that was spreading quickly across the Internet.

The new virus, dubbed MyDoom or Novarg, is a mass-mailing worm that arrives as an attachment with an .exe, .scr, .zip or .pif extension and can have a subject line of "test" or "status."

It mails itself out to addresses in the victim's computer and is clogging mail servers and degrading network performance at companies, experts said.

Symantec's report here:

W32.Novarg.A@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Update your antivirus software!
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[wawadave]

i was going to post that one suzi ya beet me to it! lol

[wawadave]

rav has a bit more detail on this virus
RAV Virus Alert
-----------------
VIRUS ALERT! Win32/Mydoom.A@mm
January 27, 2004 - RAV AntiVirus Team is alerting all computer users that a
dangerous Internet worm, called Win32/Mydoom.A@mm, is reported to have a high
infection level in the last 24 hours. This worm is classified as "Potentially
destructive" by RAV Team and its spreading process has been carefully followed
in the last 24 hours.

The signature of Win32/Mydoom.A@mm is included in the database of RAV Engine
starting with January 27, 2004. All RAV AntiVirus products using daily updates
after this date are able to detect and clean the worm.

A short description of the worm is available below.

1. Description
2. How to recognize the worm
3. How to disinfect your computer
4. Evilness
5. More info


1. Description
Win32/Mydoom.A@mm is a highly spreading mass mailer internet worm, with a
complex structure and is also able to spread using Kazza file sharing network.
It is packed with UPX and its size is about 22.5Kb long packed and about 33Kb
long unpacked.

The worm is able to spread using Kazaa file sharing network, and will try to
copy itself in the Kazaa Shared Folder using one of the name: "winamp5",
"icq2004-final", "strip-girl-2.0bdcom_patches", "rootkitXP", "office_crack",
"nuke2004" and one of the extension: ".pif", ".scr", ".exe", ".bat".

To be less suspicious, when is executed will drop a file named "message" with
random content, and will spawn a "notepad.exe" process to open that file.

The worm will create a mutex object called "SwebSipcSmtxS0" to avoid running
more than one copy of itself in the same time. In the "%system%" folder will be
dropped and then loaded a library named "shimgapi.dll". Also Win32/Mydoom.A@mm
will copy itself as "taskmon.exe" in the "%system%" folder. The "shimgapi.dll"
library will then set itself, using specific registry key, to be loaded by
"explorer.exe" at each computer restart. To be started each time Windows starts,
a new entry called "TaskMon" will be created in the
"Software\Microsoft\Windows\CurrentVersion\Run" registry key, with the
"taskmon.exe" path as value.

Depending on the current time, the Win32/Mydoom.A@mm will try to initiate a DoS
attack to www.sco.com by sending at regular time intervals HTTP GET requests
from up to 63 threads simultaneous. Also, depending on the current system time
the worm will not spread any more.

Win32/Mydoom.A@mm will listen for connections from a large range of ports,
working this way as a proxy server.

For a complete description of the worm, please read
http://www.ravantivirus.com/virus/showvirus.php?v=205


2. How to recognize the worm
The worm can arrive as a mail attachment, with double extension. The first
extension can be ".txt" followed by a big number of spaces and the second
extension can be: ".pif", ".exe", ".cmd", ".scr", ".bat". The file name will be
randomly chosen from one of the following:
- "document",
- "readme",
- "doc",
- "text",
- "file",
- "data",
- "test",
- "message",
- "body".
The attachment can also be present as a zip archive.

Both the "from" and "to" fields will be spoofed and randomly set to one of the
combinations from the worm hard-coded list.

The "Subject" field will be set to one of the possible values:
- "test",
- "hi",
- "hello",
- "Mail Delivery System",
- "Mail Transaction Failed",
- "Server Report",
- "Status",
- "Error".
And the message body can contain one of the following :
- "test",
- "The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.",
- "The message contains Unicode characters and has been sent as a binary
attachment.",
- "Mail transaction failed. Partial message is available.".


3. How to disinfect your computer
a. click Start>Run and type "regedit";
b. browse to [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
OR to [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] and
delete the following registry key:
"d3update.exe" = "%system%\bbeagle.exe"
c. update your RAV AntiVirus software;
d. scan and delete all files reported by your RAV AntiVirus product as infected
with Win32/Mydoom.A@mm.
e. restart your computer.

Note1: Incorrect changes to the registry could result in permanent data loss or
corrupted files. We strongly recommend that you back up your system registry
before making any change.
Note2: If you are using Windows Millennium Edition (ME) or Windows XP, you
should disable the System Restore feature before scanning the system with RAV
AntiVirus and re-enable it afterwards. Please contact your system administrator
for information on how to disable this feature.


4. Evilness
Potentially destructive (corrupts data while replicating).


5. More info
The latest details about Win32/Mydoom.A@mm and a complete description can be
found on our website:

http://www.ravantivirus.com/virus/showvirus.php?v=205


RAV Team
Worry less! RAV is watching.

_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[suzi]

Dave, it's amazing that I actually beat you to it. You are so quick on these.

I had 5 of these suckers in my email inbox this morning. Three different variations of subjects and attachments.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[wawadave]

ya there are too many of them. your just faster suzi!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

hello
these alerts are a bit on the technical side of things but if your wondering what system admin,s and such .some times face this is just a briff little tip of the ice burge.
Security Alert, January 29, 2004

Cross-Site Scripting in Nextplace.com E-Commerce Server
Rafel Ivgi discovered that Nextplace.com E-Commerce ASP Engine is
vulnerable to cross-site scripting. By crafting a specially formed
URL, an attacker can cause code of his or her choice to run on the
user's local system. The vulnerability can lead to manipulated Web
content, stolen cookie data, or arbitrary actions under the context of
the user's Web session. Nextplace.com is aware of the problem.
http://winnetmag.com/articles/index.cfm?articleid=41580

Cross-Site Scripting in Oracle HTTP Server
Rafel Ivgi discovered that Oracle HTTP Server is vulnerable to
cross-site scripting. An attacker could craft a specially formed URL
that could cause code of the attacker's choice to run on the user's
local system. The vulnerability might lead to manipulated Web content,
stolen cookie data, or arbitrary actions under the context of the
user's Web session. The vendors are aware of the problem.
http://winnetmag.com/articles/index.cfm?articleid=41579

_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Mutating software could predict hacker attacks

http://www.newscientist.com/news/news.jsp?id=ns99994588

10:00 25 January 04

Exclusive from New Scientist Print Edition. Subscribe and get 4 free issues.

Novel computer viruses and worms can sweep the world within hours, leaving a trail of devastation, because firewalls and antiviral software work by identifying the telltale signatures of known attacks. They are useless against anything completely new.

But now software engineers at Icosystem in Cambridge, Massachusetts, have developed a program that can predict what is coming next by "evolving" future hacker and virus attacks based on information from known ones. The company is testing the technique with the help of the US Army's Computer Crimes Investigation Command in Fort Belvoir, Virginia.

The idea would be to generate these novel attack strategies centrally, then remotely update the intrusion-detection software protecting PCs and networks around the world. This would allow them to recognise attack patterns before hackers have even developed them.

The first version of the system is geared to predict hacking - though the technique is equally applicable to viruses. It works by mutating the short programs or "scripts" that hackers use to invade computers or which they plant on them for later activation.

The result is artificially created hacking routines that security systems could be taught to recognise, allowing them to defend networks against previously unseen attacks.


Self destruct


Most attacks target well-known bugs in commercial web server software. By sending packets of data designed to exploit these flaws, an attacker can gain remote control over a computer or force it to do something self-destructive, like crashing after a certain number of keystrokes.

To defend against such attacks, today's computer networks use software that analyses traffic for signs of malicious activity. For instance, the arrival of data packets at an unusual input port may be a sign that a hacker is trying to flood a section of memory with oversized files in order to overwrite working memory and corrupt data.

But the attack may be modified in some way to confuse such defences - perhaps by combining a number of different attack routines. What is needed is an intrusion detector that can predict hackers' future strategies. And that is what Icosystem claims to have developed.

Its attack prediction system takes known hacking software and systematically mutates it to find the most deadly permutations. The mutations are kept simple so that the code still runs - there is no point in random mutations that render the software useless.


Renamed file


Mutations might involve renaming a file or folder created by hacker code. A small change like this could be enough to foil today's intrusion detection systems. Icosystem's software could also combine portions of different hacker programs to see any more complex attacks that evolve.

"It tries a lot of different mutations and recombinations, but they are all grammatically and syntactically correct," says Eric Bonabeau, chief information officer at Icosystem. "The idea is to continue to evolve scripts and new forms of attacks will undoubtedly emerge."

Chris Wysopal, a consultant with Boston-based computer security firm @Stake, says the approach may lead to a new, smarter generation of intrusion-detection systems.

But he predicts significant performance problems if networks routinely have to search for thousands of modified scripts. "That many signatures would probably slow a detection system down considerably," he warns.


Will Knight


_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd