[ISN] New worm avoids feds for now

From: William Knowles (wk@private)
Date: Wed Jan 28 2004 - 02:43:39 PST

  • Next message: William Knowles: "[ISN] Campus Web site hacked"

    Forwarded from: William Knowles <wk@private>
    
    http://www.fcw.com/fcw/articles/2004/0126/web-virus-01-27-04.asp
    
    BY Rutrell Yasin 
    Jan. 27, 2004
    
    A new mass-mailing computer worm that began rapidly spreading 
    throughout the Internet Jan. 26 apparently avoids targeting the e-mail 
    addresses of government agencies, military facilities and large 
    software companies, according to a security expert at a leading 
    antivirus firm.
    
    The worm -- known as MyDoom, W32.Novarg.A@mm, Shimgapi or as a variant 
    of the MiMail worm -- is an encrypted program that creates a 
    mass-mailing of itself, which may clog mail servers or degrade network 
    performance.
    
    By avoiding federal sites and large software companies, the worm's 
    author could be "attempting to get lead time before antivirus 
    definitions" are written to block the worm, said Alfred Huger, senior 
    director of engineering with Symantec Security Response, a unit of 
    Symantec Corp. that tracks and responds to virus outbreaks. If the 
    worm started attacking .mil and .gov e-mail addresses as well as 
    antivirus vendors, then signatures could be written to thwart it much 
    sooner, he said. Symantec and other leading antivirus vendors have 
    pushed out software updates to customers to help protect against the 
    worm.
    
    A likely target appears to be The SCO Group, a provider of Unix 
    software based in Lindon, Utah. SCO has stirred emotions in the Linux 
    community by claiming that important pieces of the open-source 
    operating system are covered by SCO's Unix copyright. The worm is 
    programmed to instruct infected PCs to send a flood of bogus traffic, 
    or a denial-of-service attack, to SCO's Web server Feb. 1 through Feb. 
    12. The worm can also drop a backdoor program onto a PC, allowing an 
    intruder to take control of the machine, Huger said.
    
    Although Novarg is comparable to other mass-mailing worms such as 
    Sobig and MiMail, the latest worm is "written a little more robustly," 
    Huger said. Other worms require either a mail server to be present on 
    a network or access to a Domain Naming Server to spread. This one 
    "comes with both pieces of functionality written in it," he said.
    
    Novarg arrives with an attachment with an .exe, .scr, zip, or .pif 
    extension and a subject line of "Mail Delivery System," "Test" or 
    "Mail Transaction Failed."
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 28 2004 - 05:09:34 PST