new worm

Discussion in 'WormGuard' started by greg m, Jan 27, 2004.

Thread Status:
Not open for further replies.
  1. greg m

    greg m Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    2
    does any one have anything on the new worm?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi greg m - Have you any particlar one in mind? As several are let out into the wild nearly every day :)
     
  3. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    Mydoom.A maybe? My AV picked it up last night.

    See here:
    http://www.wilderssecurity.com/showthread.php?t=20465
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Not sure that WG would catch this parasite, You have to open the .zp file to let it loose, so ineffect you are saying yes - come aboard. I have not tried it as I do know that KAV & NOD32 have protection for this particular threat & would disinfect the email :)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Addad as i-worm.Novarg to the primaries; if you find it you might like to try for a second opinion online www.avp.ru > click for the english site > bottom online virus check > submit online your suspicious file and see in a few seconds their opinion.
     
  6. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Sorry to jump in here (I'm just a newbie) but I was interested in the 'worm' thread as several colleagues have had problems with a worm today. It is the 'Mimail.R' which has an alias 'Mydoom.A' (amongst many others) as described by Shelb. My understanding is that this is another variant of the Mimail worm which has been around in many guises since October 2003 (.C,.D etc..).

    Indeed, Pilli is correct, the Win32/Mimail.R worm would be UPX packed and attached to an email in a .zip format which you would need to execute to cause problems. So look out for any strange attachments to e-mails and also be aware that it can also propagate through the Kazaa peer-to-peer file-sharing network! :'(

    It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.

    It runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The backdoor component opens port 3127 to 3198 to allow remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004.

    This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

    Just a quick question to Jooske - you mention that it has been added to the primaries as i-worm.Novarg. As I understand it WG protects through script analysis negating the need for primaries and therefore there are no updates be had. Are you referring to TDS-3 and the protection it offers for this attack?

    To confirm what Pilli said you would be protected if you are running NOD32 as this worm was included in the virus signature updates of 8th January 2004. :D
     
  7. greg m

    greg m Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    2
    :D i knew i could get info here. another good place to be along with the tds3.
     
  8. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    If you are infencted I have just noticed a cleaner for this worm found in the following thread 'MyDoom cleaner from Eset' across on the NOD32 Forum courtesy of Martin vDijk.

    :)
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    There are several around at the moment, spreading at high speed, opening different ports.
    The Novarg infected emails have something extra: even thoough the files are zipped or seem zipped at least, i could not just forward such emails to DCS lab, as they froze completely, really had to include them completely into a new email to be able to send them on. Best zip the whole bunch if you are not deleting them.

    BTW WormGuard will stop the things as well and TDS detects them; you might like to add the file User just posted to the WG block list.
     
  10. Okay, so does WG detect this or not? Wormguard is supposed to work without having to update a 'list' and this is a classic opportunity for it to show its power as a generic detector. So will, and in fact did, WG detect mydoom without putting 'novarg' in a list?
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you're trying to run the exe it will as you remember it looks for code, among others.
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    No, unfortunately Wormguard didnt detect this worm. This is why Wormguard 4 will use some parts if not all of the unpacking support we are working on. The latest worms are mostly compressed EXE's which hides the code from a scanner like Wormguard.

    It has detected others however, such as Swen :D
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin i'm stunned about this message.
    Are there known file names we can add to the block list, the dll and exe or are those chosen ad randum?
    Hope the TDS exec protection will still stop them from executing then.
     
Thread Status:
Not open for further replies.