PDA

View Full Version : Latest mass virus


Nav
27-01-2004, 21:21:29
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

my virus definitions havent been updated for about a month now (after my subscription ran out!), but I can tell a virus email from a mile off. Had about 6 so far today, plus twice as many 'Recipient Unknown' emails from return address spoofing.

When it peaks I'll probably get about another 100 or so overnight like the last time...... (I had to turn off my virus checker, it was taking so long)

What I can't believe is the amount of people that keep opening these obviously dodgy emails, this one has a message "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.". :rolleyes:

Sir Penguin
27-01-2004, 21:35:48
Seeing as there are so many viruses that do the exact same thing, I wonder what it is that makes this one special.

SP

Nav
27-01-2004, 22:30:40
They have an email list entitled

'These dipshits will open anything'

MDA
27-01-2004, 23:25:28
I've gotten about half a dozen of those this week. Lots of people here have been absolutely swamped with them. The IT guys are looking more frazzled than usual. The poor bastards have to clean up after the PhDs.

Edit: Must be a different virus, since its going to and from ".edu" mail addresses. Comes as a 22 or 23 kb .exe .bat or .zip.

Sir Penguin
28-01-2004, 01:54:23
If they were smart they would make the virus find recent emails, extract the TO and SUBJECT headers, and send itself to those destinations, with those subjects. Nothing in the body, just with the virus attached.

SP

QtFLW@Work
28-01-2004, 16:39:23
Even better if they can do a REPLY and send the old message body. Virus checkers will still be able to detect the virus, but to suck people in better, make it look like it continues an old conversation, thus giving it legitimacy.

Nav
28-01-2004, 19:17:18
Way to go guys, help the virus writers why don't you.

:rolleyes: :D

QtFLW@Work
28-01-2004, 19:56:12
Yeah, 'cause Counterglow is such a black hat community :lol:

Sir Penguin
28-01-2004, 20:40:32
I was thinking leave the body blank because then it add an air of mystery. I guess it could go either way. :)

SP

QtFLW@Work
28-01-2004, 22:26:58
I was thinking about the best way to utilize social engineering principles to get more people opening it. But you're right, a blank body would be less detectable by virus checking and IT departmental instructions warning you to look out of message containing the following subject and message body: "blah blah blah".

If there's less to look for, it's harder to find. Same with the REPLY scenario - how can a person be told "the virus will look like a regular email from someone you know with an attachment" - how many business people receive legitimate emails like that, all the time?

Darkstar
28-01-2004, 22:27:02
Originally posted by Sir Penguin
If they were smart they would make the virus find recent emails, extract the TO and SUBJECT headers, and send itself to those destinations, with those subjects. Nothing in the body, just with the virus attached.

SP

Common practice now with new viruses to extract the "To". Most don't copy the Subject though. They tend to rely on the "Here's those pics of us having that threesome with the donkey!" and "Offer for free tickets from British Airlines (see attachment)" and "Warning! Microsoft is sending you this patch to protect you from the virus (this virus). Please apply promptly!" sort of things.

MDA
29-01-2004, 18:14:55
the IQ test email...

subject: Test
Body: Test, yep. :-)
kjljkks
___________________
test

kkdiws.zip (http://pbskids.org/barney/)

Tizzy
30-01-2004, 09:56:52
We've had thousands of these come through at work. All our definitions are up to date so nothing's actually got through, but that hasn't stopped the muppets trying to open the cleaned attachments and getting stroppy when they can't :rolleyes:

MDA
30-01-2004, 17:29:44
I'm the only muppet to ever pass the IQ test. Even Dr. Honeydew failed his.

QtFLW@Work
30-01-2004, 18:06:15
Hey MDA, I tried clicking on your link to "kkdiws.zip" and I couldn't open it. I think your link is malformed.

MDA
30-01-2004, 20:10:30
Sorry, Qaj. I've got it fixed now.

Nav
06-02-2004, 11:50:48
Originally posted by Nav
plus twice as many 'Recipient Unknown' emails from return address spoofing. Seems these were probably the MyDoom virus all along....

(apolgies for quoting myself... :))

Nav
18-03-2004, 15:44:59
Here's something new and strange (to me anyway).

got two emails with zip attachments, each email quoted a password to get access to the file.

This obviously stops the virus checker from getting into the file to check the contents. I can't belive there are still idiots out there who would open such a file! (as there must be)

oh yes and Netsky is really starting to annoy me now.. getting 20 odd a day....

Gary
18-03-2004, 16:11:48
The spoofing is a pain in the neck. you get folk writing back to warn you, and you daren't reply to tell them not to :rolleyes:

Mmm that which you dscribe Nav is as you suspect, the latest method to try to get around the e-mail filtering. Read about it a few weeks ago.

Virus checks now have to search the text to find the password, before checking inside the zipped file, but the recipient is still probably daft enough to look for themselves, password or no password !

QtFLW@Work
18-03-2004, 20:50:16
We've been receiving the one with the password for a few weeks now.

Our MIS manager here (that's supposed to be our Information Systems guru) got one the other day. I carefully and patiently described the virus, how it worked, why our enterprise-class virus checking system scrubbed the attachment and that she was safe from it, and that it probably wasn't from the person it said in the "From:" section, having been spoofed by the virus.

First thing she asked: "So do I have to email <the person in the From field> and tell them their attachment didn't come through proerply and to send it again?"

:bash:

Gary
18-03-2004, 21:02:33
:D :D :D LMAO