Notices
NSC-040126: New Virus Spreading Rapidly Across Campus - aka Novarg, Mydoom, or Mimail.R
On Monday January 26th a new mass-mailing worm named W32/Mydoom@MM (or W32.Novarg.a@mm) was reported spreading in the wild. This worm is spreading quickly across campus. The virus infects a computer, and looks for addresses on the computer to send out messages from. This means users might get copies of the virus from people they know. Be sure to inform users in your area to scan attachments with Anti-virus before opening them, or if messages match the description below, delete them. As of 6:00 on Monday night there are no virus signature updates available to protect against the "Mydoom" virus. Check the Help Desk Virus Information Center for updates about this virus at http://www.its.uiowa.edu/cs/helpdesk/virus/
The following things are known about the "Mydoom" virus.
This is a mass-mailing worm that arrives in an email message as follows:
From: (spoofed)
Subject: (Random)
Body: (Varies, such as)
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* The message contains Unicode characters and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)
The icon used by the file tries to make it appear as if the attachment is a text file
When this file is run it copies itself to the local system with the following filenames:
* c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
* c:\WINDOWS\SYSTEM\taskmon.exe
It also uses a DLL that it creates in the Windows System directory:
* c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) It creates the following registry entry to hook Windows startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
* CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The worm opens a connection on TCP port 3127 suggesting remote access capabilities.
METHOD OF INFECTION
This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
* wab
* adb
* tbb
* dbx
* asp
* php
* sht
* htm
* txt
Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.
If you need assistance please contact the Help Desk at 384-HELP (4357) or the IT Security Office at it-security@uiowa.edu
NSC-040126b: W32.Novarg.A@mm Update
The virus that is spreading across campus has been identified as the W32.Novarg.A@mm virus. The W32.Novarg.A@mm is a mass-mailer that will send itself to any e-mail address that it finds. The virus appears to also propagate through the KaZaa file-swapping service. This virus has been seen in significant numbers on campus. Do not open the attachments, simply delete the message.
Definitions are available for Norton/Symantec Antivirus software as of 7:20 PM, January 26th. You will need to tell your users to run LiveUpdate Immediately to get current definitions. At this time the Pure Message system is also blocking the attachment at the e-mail gateway. This will prevent all additional copies of the virus from reaching your inbox, but will to nothing to protect you from the messages that are already there.
The IT Security Office is and will be performing network scans looking for infected machines. You will be notified of these infected machines via the normal NSC buildings lists.
Currently there isn't a cleanup tool from Norton/Symantec. Cleanup instructions can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
We will notify you when and if a tool become available.