PDA

View Full Version : What is "Worm.sco.a up to??



Billy T
27-01-2004, 04:59 PM
Hi Team

I was just doing a routine email dowload and No 1 son's Freenet account suddenly started downloading 58 emails. It usually has only 4 or 5 items of spam in there as he doesn't actually have access to it from his computer and never has. The spam dates back to the previous owner of the address who surfed not wisely but too well, straying into all sorts of nasty sites (hence the embargo on said-son using it.).

I killed the download but not before I saw a message from cytanet.com.cy saying that they had rejected a virus apparently sent from his email address. The virus was worm.sco.a but I can't find it in my Norton AV definitions or on Google.

Is it new?

I am currently scanning the recipient computer for viruses just in case .

Cheers

Billy 8-{) :|

Jim B
27-01-2004, 05:06 PM
W32.Novarg.A@mm [Norton]
W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend]

Billy T
27-01-2004, 05:10 PM
Ah so!

Are they all the same virus?

I hope the email address was spoofed then, but the AV is up to date on that box as of minutes before this started so we'll see if the scan picks up an infection.

Cheers

Billy 8-{)

Biggles
27-01-2004, 05:32 PM
It's spreading pretty fast.

Symantec's note on it (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html)

Biggles
27-01-2004, 05:34 PM
And does infact be seem to be targeting SCO with a denial of service attack launched from infected PCs.

New virus infects PCs, whacks SCO (http://news.com.com/2100-7349_3-5147605.html?tag=nefd_lede)

Billy T
27-01-2004, 06:06 PM
Okay, I'm light on virus experience, not having had an infection ever (crossed fingers as I type this), though I have intercepted about five prior to infection over the last seven or eight years. Nortons has just completed a full scan without finding anything and I have all mail scanned on download too.

Can I assume that the use of my son's email address is a spoof, or should I keep looking for an infection in this particular box which is the only one I use to download email?

Cheers

Billy 8-{) :)

metla
27-01-2004, 06:06 PM
Best use of a virus i have seen so far.

Chilling_Silently
27-01-2004, 06:42 PM
> Best use of a virus i have seen so far.
>

Amen to that...
I thought the MS.Blaster was a pretty cool idea too ;-)

miknz
27-01-2004, 07:32 PM
I have had a heap bounced emails returned to me today infected with the above virus. This is strange because I have not sent any this afternoon and the home pc was off when the emails were returned. I ran avg and it picked up the WORM_MIMAIL.R. All the bounced emails have been stamped with the xtra email virus scanner but I cant see who they were sent to or whether they really came from me???

anyone have any ideas on this ?

mike

miknz
27-01-2004, 07:34 PM
Just found that one of the emails returned to me has the following .dat file attached to it, can anyone decode this

Reporting-MTA: dns; mail.budget.co.nz
Arrival-Date: Tue, 27 Jan 2004 14:15:36 +1300 (NZDT)

Final-Recipient: rfc822; lchoat@budget.co.nz
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; maildir delivery failed: create
/home/lchoat/Maildir/tmp/1075172783.22772_15.mail.budget.co.nz: Permission
denied



cheers

Jen C
27-01-2004, 07:42 PM
> Can I assume that the use of my son's email address
> is a spoof, or should I keep looking for an infection
> in this particular box which is the only one I use to
> download email?

One of mine was a spoofed addy - rejected email from MAILER-DAEMON@oulu.fi because it was addressed to an unknown user at oulu.fi and contained a attached filename of "readme.zip" which would of been the worm. It quite clearly had my home email addy in the return path. My system is unaffected (being Linux) so I know it didn't originate from me.

If your NAV is freshly updated and doesn't detect the worm your box should be clean (until the next variant gets released).

Billy T
27-01-2004, 07:57 PM
Well :(

I have just finished downloading over 60 messages from my son's account, nearly all of them carrying a live virus payload. Norton caught each one and cleaned it on the way through, but at 20 seconds per message that was a long time to sit waiting.

Now I need to get an anti-spam program that lets me check and delete without downloading. I thought Mailwasher did this but on reading the June 2003 PCW article I see no sign of that feature.

What program do I need? I can't stand the thought of clearing hundreds tomorrow X-(.

BTW, the suffixes were doc.doc, doc.txt, pif, scr, zlo, zlg, htm, and bat.

The zl* suffixes were for the files picked up by ZoneAlarm and quarantined before Norton got hold of them. I'm not sure what the precise mechanism is for that as I thought it would be one or the other program catching them, not both.

Cheers

Billy 8-:) :|

Megaman
27-01-2004, 08:38 PM
hmmm... i might run norton antivirus update before getting email tonight ;)

Martina
27-01-2004, 08:52 PM
Hi Billy T - Mailwasher does allow for checking & deletion of mail without downloading, I use it every day.

M...

Billy T
27-01-2004, 09:00 PM
Ta M

BT :D

Laura
27-01-2004, 09:02 PM
AVG Antivirus Free Edition has an update with the release date 26-01-04.

If that's northern hemisphere timing, we can hope it covers this...?

If not, watch for more very soon.

(Just posted a similar message on another thread when I saw this one)

Obviously common sense about opening any email attachments should prevail regardless.

gerrypics
27-01-2004, 10:06 PM
MY-Doom, AVG had an update for this at about 1pm today. From what I can gather about 2 hours after it surfaced.

beama
27-01-2004, 11:14 PM
Just had a virus alert notification on this one from C.A. This virus does pretend to be a bonced email. So I would any bounced emails I would not open . From what I can found out so far about this one the attachment is a scr (hidden file extension again I suppose).
For outlook and outlook express users disable the preview pane, (once a email is previewed which is the same as you opening it Do I need to say more). Do this by going to View... layout. just one thing that may help you prevent infection

Billy T
28-01-2004, 10:49 AM
Update:

As of 10pm last night, my son's account had received 87 virus-related emails, of which 70 carried the live virus payload. The other 17 were bounces of messages auto-cleaned by other ISPs.

What was interesting was the number of reputable NZ companies that have either been infected or have strayed into XXX sites where their email adress has been harvested.

I haven't dared open that account this morning, instead I have downloaded mailwasher and wil delete them tonight without downloading. I think I might dump that email address!!!!

Cheers

Billy 8-{)

Chilling_Silently
28-01-2004, 11:35 AM
Just something you might like Billy:
I have 3 Email addresses.
One main address with Orcon, the other two are re-directs to this.

I use the Main one for long-term contacts, or people I'll meet in Real-Life (Such as friends/relatives/business contacts). This is because its my firstname_lastname@orcon...
Ive then got another @Orcon.... Redirects to the main one
Then there's another I use to sign up to whatever I may need to online. Should I start getting Spam, I'll just drop my 3rd one and change it from its current to something else.

That way any mail that would go to it simply bounces at the ISP level, and I have a fresh start....

Just something I thought you might like to know, works for me ;-)


Chill.

Murray P
28-01-2004, 01:43 PM
just received my first email without a subject line but, containing the worm. So, it might be timely to be suspicious of all emails (if you ain't already) not just the ones with the subject lines discussed by the AV people.

Billy, a lot (not all) of those companies/peoples addresses will have been spoofed. I know some of my addy's are flying around the country at the mo because they and/or my url, are listed on a couple of organisations sites and in more than a couple of address books that I know to be infected. As you say, they are more likely to be prefixed with a bogus name when they arrive, but the company/addy name is real enough.

Funny thing is, I have received no viruses in my trash accounts (used as per Chill's suggestion) or personal ones. Only the business accounts have been hit with a good proportion of the addy's being known to me or from reputable institutions.

Cheers Murray P

Billy T
28-01-2004, 04:47 PM
> Funny thing is, I have received no viruses in my
> trash accounts (used as per Chill's suggestion) or
> personal ones. Only the business accounts have been
> hit with a good proportion of the addy's being known
> to me or from reputable institutions.

Interesting Murray, although the first wave came on my son's account, and for good reason given its history, I too have received no viruses in any of the five other trash accounts that I operate.

Today I started receiving virus emails on my business account which receives almost no spam. I have jealously guarded that address for years as it includes my company name, however it must have been harvested from one of my clients.

The actual address is billy@mycompany-name.co.nz but I have received emails with Billy replaced by over 25 different names@mycompany.co.nz. I am intrigued to find out how that aspect of the exploit is handled as anything sent with those names up-front would be automatically rejected by the server. Does anybody know how they hide the correct address and show only the fake without both appearing in the electronic audit trail?

Cheers

Billy 8-{) :|

On the bright side, I downloaded Mailwasher and was able
to dispose of over 200 messages in a couple of minutes.

metla
28-01-2004, 04:58 PM
Why would they be rejected by the server?

All of the url's i own automaticly have a catch-all email accout.

You could send hkgedihbwei@computermedic.co.nz and i would recieve it.

Jim B
28-01-2004, 05:59 PM
metla is correct.

Anything put in front of your domain name is a valid address and will be delivered to you. You can check this by sending an email to yourself with any sort of name before your domain name

You can get who ever is hosting your domain to setup mail rules so specific names are pointed to your normal email address for downloading and anyting else which will go to the default catch all can be set up to go to a non existant address and you won't receive them.

Murray P
28-01-2004, 06:00 PM
Billy I was going to do a copy & paste of this Trend Micro page (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R&VSect=T) but, as you will see it's better left over there and not here. Good info at Symantic as well.

I'm on my second AV update for the day there is to be a new variant out (although an old virus type, all the same). Seems like the writer/propogator of this one wants to stay ahead of the chasers or some evil so & so has jumped on the bandwagon. I hope no PF1'ers get caught by it.

BTW. My host's (not ISP) spam software has picked up the majority of the emails as spam and or highly likely to be a virus. Then my anti-virus jumped on it so, it never had a chance. Even then I viewed the first one via message source.

Cheers Murray P

Jester
28-01-2004, 06:10 PM
At the risk of putting the knock on me I haven't yet received any of these :|

Billy - as mentioned before you can delete, bounce, mark as spam or all three options to mail on the server with Mailwasher.

I have an older version (before you had to pay for features) available at

http://mailwash.vze.com/

J
:D

Billy T
28-01-2004, 06:19 PM
> Anything put in front of your domain name is a valid
> address and will be delivered to you. You can check
> this by sending an email to yourself with any sort
> of name before your domain name

Well I'll be.........:O :O

I just checked for myself and metla is right. :8} :_|

I'll have to get onto my host (private company) and ask them to block all but the correct name. If I don't, I'm betting that after all this circulation of my email address I will be up to my eyeballs in spam.

Cheers

Billy 8-{)
[pre][b]As I live and learn!

Laura
29-01-2004, 02:38 AM
Bump for an obviously important danger which got too far down the list too fast.

People who haven't turned on their machines recently should read this thread.