Update Your Virus Definitions!!!!!!

[mrmustang]

Ok Folks, you've got a great computer, have your anti virus software installed, but when is the last time you forced an update of your system software????? Today I've noticed a significant increase in the spam and virus filled emails two of my open accounts receive. Just downloaded 2.68 megs of new virus definitions this evening (and I had just done an update on Friday of last week). So just a friendly warning, no matter how good a piece of software is, if you do not constantly seek available updates (check at least once a week), your leaving your computer open to a wide assortment of new bugs and viruses currently out on the web...................

Hope some of you find this helpful.

Sincerely,

Bill S.

[Chaplin]

I don't think I'm running any anti-virus software . What do you guys suggest? Also, will any of it cut down on pop ups? I seem to be inundated with pop ups lately. I downloaded one of the free pop of blockers, which is a temporary fix (it expires in 30 days unless I buy it), but need something better long term.

[mrmustang]

Chaplin,

Send me an email.


Bill S.

[casaleenie]

Bill,

I just started getting back e-mails that were undeliverable that I didn't send.....
Just started within the last three hours....
Got a strange e-mail that I was hesitant to open but the name sounded somewhat familiar and I went for it... against my better judgement...
Let's see what I have on my machine tomorrow a.m....

Any help on updates would be appreciated.

[computerworks]

At this point, there is no need to go crazy about new definitions...although if you have AV software, you should be doing live updates on a regular basis...

What you are experiencing is a new mass-mailing worm called W32.Novarg.A@mm. It was discovered today and more info is coming as we speak.

THE KEY THING TO LOOK FOR is an attachment that is 22k in size; it may be a .bat, .cmd, .exe, .pif, .scr, or .zip file.

It also may look like a returned-undeliverable e-mail.

The subject of the e-mail may be one of these:
-test
-hi
-hello
-Mail Delivery System
-Mail Transaction Failed Server

Just delete it ...don't peek at the attachment...and you will be fine.

[computerworks]

Quote:

Originally posted by Chaplin


I don't think I'm running any anti-virus software

Shame on you!

The best to buy is Norton Antivirus... no contest.

The best free downloadable one is AVG.

[casaleenie]

Quote:

Originally posted by computerworks


At this point, there is no need to go crazy about new definitions...although if you have AV software, you should be doing live updates on a regular basis...

What you are experiencing is a new mass-mailing worm called W32.Novarg.A@mm. It was discovered today and more info is coming as we speak.

THE KEY THING TO LOOK FOR is an attachment that is 22k in size; it may be a .bat, .cmd, .exe, .pif, .scr, or .zip file.

It also may look like a returned-undeliverable e-mail.

The subject of the e-mail may be one of these:
-test
-hi
-hello
-Mail Delivery System
-Mail Transaction Failed Server

Just delete it ...don't peek at the attachment...and you will be fine.

I think I just got screwed..... Tried to open a .zip file about that size... Didn't get it opened... but started getting returned mail that I didn't send...

What's the next move????

Did I just hand over my address book???

[casaleenie]

Also got an e-mail from Amazon for a salesconfirm but I deleted that one only because we didn't order anything from them...
My wife just yelled up that she had heard about that one last week.

[clayfoushee]

Yep....Norton anti-virus is worth the price 10-fold. Even if you're infected, there is a good chance it will fix it. It also notifies you when you need to do a live update to handle a new virus def.

Buy it!

[Doug I]

I've just had a spike in emails with .exe .pif .scr etc files attached. Well actually this is the first time I've been getting them. One tried to get my email client to act as a relay or something. Panda & Zonealarm figured out what was going on and kept this under control. The email came from a norcal-saac.org address. Never had or sent an email to that address before.

Heads up ya'll

regards
Doug I

[computerworks]

(Sorry for the long-winded, techie stuff here, but this worm may get epidemic in the next few days).

As of this evening, both McAfee and Trend Micro Antivirus software will detect and fix this worm, as well as Norton. McAfee recognizes it as W32/Mydoom@MM and Trend sees it as WORM_MIMAIL.R.

If you did open the attachment, it did the following:

It creates the following files:

"shimgapi.dll" in %System%
"Message" in %temp%. This file is full of random letters and is displayed via Notepad.
"taskmon.exe" in %System%. If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.


Shimgapi.dll acts as a proxy server. It opens TCP ports in the range of 3127 to 3198 for listening.


Adds the value
TaskMon = %System%\taskmon.exe
to the registry keys
HKEY_CURRENT_USER\Software\Microsft\Windows\Curren tVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run


Can perform a Denial of Service against www.sco.com. Creates 64 threads which send GET requests. The DoS is active between February 1, 2004 and February 12, 2004.


Creates the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\ComDlg32\Version


Searches for email addresses in files with the following extensions. It ignores addresses which end in ".edu".

.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt


Attempts to send emails by using its own SMTP engine. It performs a lookup of the mail server of the recipient in order to send. If it is unsuccessful it will use the local mail server.


The email will have the following characteristics:

From: may be a spoofed from address
Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment:
document
readme
doc
text
file
data
test
message
body

with one of the following suffixes:
pif
scr
exe
cmd
bat
zip


Copies itself to KaZaA download directory as one of the following files:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with a file extension of pif or scr or bat

To get rid of it

Update your virus defitions, disconnect from the internet, scan and delete any file that is found to be infected.

Then, CAREFULLY edit the Registry to remove the starter files:
(If you have never edited the Registry, and are unsure of what you are doing, as for help from someone who can do it)

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run

In the right pane, delete the value:

"Taskmon"="%System%\taskmon.exe"


Navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Explorer\ComDlg32\Version

and delete it.


Navigate to the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\ComDlg32\Version

and delete it.

Exit the Registry Editor.

[Jamo]

Or pound your fist on the keyboard a half dozen times...much more satisfying.

[computerworks]

...that'll help.

Real-time updates as more about this worm is discovered can be found here:

http://securityresponse.symantec.com...varg.a@mm.html

[casaleenie]

Ron,

Just spent an hour surfing the registry to get rid of that worm..
Actually, I found another virus while searching this one out..
I had some help navigating the registry and had to back out on several occasions.... No way I could have done it without help.
Your explanation is right on the money...

Bill S.

Thanks for the heads-up early in the evening... Just missed your warning by about an hour...



al

[Roscoe]

My isp strips out most, if not all viruses. Had two attempts by the new Doom today. What the isp does not catch McAfee gets.

Roscoe

[rdorman]

SPYBOT is freeware that will help with the popups, amongst other things.

Ron, Computerworks, I use Norton Anti-virus (and yes folks, it is good), actually I have Nortons firewall and complete set of system tools, and I have a questions about spyware/adware. I searched Nortons sight with little help found. I want to be sure that Norton is taking care of spyware/adware. I want to be able to scan for these using Norton. And how in the HE!! do you get the &^%&ing Ad Trashcan to work!

Any help would be appreciated.

For those with Norton, set up the live update. When ever you are on it will check for updates for you.

Thanks
Rick

[computerworks]

Rick..
..only the newest version of Norton (2004) deals with ad/spyware. I am not convinced they have it right yet.

I use three tools:

1. AdAware (Lavasoft) as a first pass. We leave it on the system, since it is the most 'end-user friendly' program of the bunch.

2. Spybot Search and Destroy for the second pass. CAUTION...don't wholesale delete everything that Spybot finds. It will detect legitimate software that 'talks' to the Internet as well as the bad stuff. Scroll thru it's results and uncheck the programs that you think should remain. e.g. It detects components of MS Works as spyware.

3. Finally, a program called Cool Web Shredder, that is designed to specifically remove and repair any browser hijacks, i.e., things that change your home page or your search page in MSIE.

[Turk]

Norton Antivirus wouldn't have helped in this case.
The virus was out before there was a fix.
If you were infected before the cure, there wasn't a whole lot AV programs could have done.

Its worst danger is that it opens up a TCP port somewhere in the 3000 range that would allow someone to remotely adminster the computer.

I got infected when Norton was already aware of it, but didn't have a fix for it until later in the day.

Best advice is NOT to open attachments that look suspicious.

TURK

POP-UPS: If you are already using Google Tool bar (hopefully downloaded directly from Google website) it has a Pop Up blocking feature that is 100% effective,

[Bill V]

Thanks for the timely info guys. I got one this morning entitled test with a sent date of 1/26/04. I knew something was awry because I didn't send it. There was no attachment though because we strip all files with the afore mentioned extensions from all SMTP traffic.

Then a user called saying that someone outside the organization had received something from her entitled hello. I ran a scan with PANDA and found nothing.

A few minutes later I spotted this thread and, voila!

By the way, according to Symantec, this thing is set to launch a Denial of Service attack on Feb. 1, 2004. It also has a trigger date to stop spreading on Feb. 12, 2004.

[Jamo]

David Kirkham thought my computer sent something out. I've checked my registry...nada. Norton is kept up to date via Live Update, but as Turk suggested, that was behind the times a little. But I downloaded the fix per Ron's/Norton's route, and ran it through.

Obviously, it's using whatever names it can find in someone's address book...so it may not come from the person who's name appears to be the sender.

At least it's an attachment based worm...if you don't open, it shouldn't be a problem. AOL always asks if you even want to open an e-mail if it doesn't recognize the address, and does it again if you try to open the attachment. If you're MSN, turn off the automatic opening feature!