Discussion in 'WormGuard' started by greg m, Jan 27, 2004.
does any one have anything on the new worm?
Hi greg m - Have you any particlar one in mind? As several are let out into the wild nearly every day
Mydoom.A maybe? My AV picked it up last night.
Not sure that WG would catch this parasite, You have to open the .zp file to let it loose, so ineffect you are saying yes - come aboard. I have not tried it as I do know that KAV & NOD32 have protection for this particular threat & would disinfect the email
Addad as i-worm.Novarg to the primaries; if you find it you might like to try for a second opinion online www.avp.ru > click for the english site > bottom online virus check > submit online your suspicious file and see in a few seconds their opinion.
Sorry to jump in here (I'm just a newbie) but I was interested in the 'worm' thread as several colleagues have had problems with a worm today. It is the 'Mimail.R' which has an alias 'Mydoom.A' (amongst many others) as described by Shelb. My understanding is that this is another variant of the Mimail worm which has been around in many guises since October 2003 (.C,.D etc..).
Indeed, Pilli is correct, the Win32/Mimail.R worm would be UPX packed and attached to an email in a .zip format which you would need to execute to cause problems. So look out for any strange attachments to e-mails and also be aware that it can also propagate through the Kazaa peer-to-peer file-sharing network!
It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.
It runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The backdoor component opens port 3127 to 3198 to allow remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Just a quick question to Jooske - you mention that it has been added to the primaries as i-worm.Novarg. As I understand it WG protects through script analysis negating the need for primaries and therefore there are no updates be had. Are you referring to TDS-3 and the protection it offers for this attack?
To confirm what Pilli said you would be protected if you are running NOD32 as this worm was included in the virus signature updates of 8th January 2004.
i knew i could get info here. another good place to be along with the tds3.
If you are infencted I have just noticed a cleaner for this worm found in the following thread 'MyDoom cleaner from Eset' across on the NOD32 Forum courtesy of Martin vDijk.
There are several around at the moment, spreading at high speed, opening different ports.
The Novarg infected emails have something extra: even thoough the files are zipped or seem zipped at least, i could not just forward such emails to DCS lab, as they froze completely, really had to include them completely into a new email to be able to send them on. Best zip the whole bunch if you are not deleting them.
BTW WormGuard will stop the things as well and TDS detects them; you might like to add the file User just posted to the WG block list.
Okay, so does WG detect this or not? Wormguard is supposed to work without having to update a 'list' and this is a classic opportunity for it to show its power as a generic detector. So will, and in fact did, WG detect mydoom without putting 'novarg' in a list?
If you're trying to run the exe it will as you remember it looks for code, among others.
No, unfortunately Wormguard didnt detect this worm. This is why Wormguard 4 will use some parts if not all of the unpacking support we are working on. The latest worms are mostly compressed EXE's which hides the code from a scanner like Wormguard.
It has detected others however, such as Swen
Gavin i'm stunned about this message.
Are there known file names we can add to the block list, the dll and exe or are those chosen ad randum?
Hope the TDS exec protection will still stop them from executing then.
Separate names with a comma.