TxKent
Premium
join:2001-05-18
Pflugerville, TX
 ·AT&T Southwest
|  High-Outbreak Threat Alert for W32/Mydoom@MM - NAI
Got this just a little while ago.  Check with your AV vendors for an update.
TxKent
-----------------------------
Alert
This is a High-Outbreak Threat Alert for W32/Mydoom@MM.
Justification
W32/Mydoom@MM has been deemed High-Outbreak due to prevalence.
Read About It
Information about W32/Mydoom@MM is located on VIL at:
»vil.nai.com/vil/content/v_100983.htm
Detection
W32/Mydoom@MM was first discovered on 01/26/2004 and detection will be added
to the 4319 dat files (Release Date: 1/26/2004). The EXTRA.DAT is currently
available.
If you suspect you have W32/Mydoom@MM, please submit a sample to
»www.webimmune.net.
Risk Assessment Definition
For further information on the Risk Assessment and AVERT Recommended Actions
please see:
»www.networkassociates.com/us/sec···ment.htm
----------
McAfee AVERT - Analysis, Research, and Outbreak Management
Visit www.avertlabs.com
Real-time Interaction Management Services from EnvoyWorldWide
Visit »www.envoyworldwide.com
--
-- Austinites! Check out the Austin forum! |
|
TxKent
Premium
join:2001-05-18
Pflugerville, TX | Must be really prevalent. McAfee called me at home... (We have a Premier support contract with them at work.)
--
-- Austinites! Check out the Austin forum! |
|
Tablet
Premium
join:2003-01-15
Czech
4 edits | reply to TxKent
Re: High-Outbreak Threat Alert for W32/Mydoom@MM -
Named W32.Novarg.A@mm by Symantec.
It is currently a Category 3 threat: »securityresponse.symantec.com/av···@mm.html.
Edit: Severity rating has been increased to Category 4 by Symantec. LiveUpdate wil be issued today according to their site. |
|
TxKent
Premium
join:2001-05-18
Pflugerville, TX
·AT&T Southwest
| reply to TxKent
Re: High-Outbreak Threat Alert for W32/Mydoom@MM - NAI
Just had another call from NAI / McAfee, this time my support engineer. He said that he's never seen a Mass mailer go from just discovered to outbreak status so quickly.
At work, we're dropping our internet mail connector (effectively cutting off internet email to 10,000 users) until I can get back to work and get the DAT files in place on email servers and workstations. Hopefully, the DATs will be released within an hour. We have just put filters in for .zip files, we already block .exe, .pif, .scr and the other potential baddies.
Nothing like a fun virus to make my week. 
--
-- Austinites! Check out the Austin forum! |
|
haertig
join:2000-12-31
Broomfield, CO
| reply to TxKent
Re: High-Outbreak Threat Alert for W32/Mydoom@MM -
It evidently spread very rapidly at my work. I got a bunce of those zipfile email attachments (not stupid enough to open them, of course). But obviously some within my company are not so cautions. A flood of virus email then started, along with mega hits on port 137 (NBNS).
I just turned Kerio up to "block all traffic" and went home... |
|
sheepexplode
Premium
join:2002-06-02
Duality
clubs: | reply to TxKent
Has anyone seen removal instructions yet?
--
»Security »I think my computer is infected or hijacked. What should I do? |
|
Red_Dog
Premium
join:2003-01-02
Clinton Township, MI
3 edits | reply to TxKent
i just checked symantec's site (6:00pm est)
this is all i could find
If you believe you have been infected, please download the latest virus definitions via LiveUpdate or from the Symantec Security Response Web site.
»securityresponse.symantec.com/av···oad.html
|
|
TxKent
Premium
join:2001-05-18
Pflugerville, TX
·AT&T Southwest
| reply to sheepexplode
said by sheepexplode  :
Has anyone seen removal instructions yet?
Currently - as of 5:05 CST they don't have anything listed other than the extra.dat files, you can find them on the following page:
»vil.nai.com/vil/content/v_100983.htm
According to NAI, new DAT packages are forthcoming. I'm heading back up to work to begin the process of catching & cleaning - also to start some caputures with Sniffer for odd traffic.
--
-- Austinites! Check out the Austin forum! |
|
jhalleau
join:2003-03-04
Vancouver, WA
| reply to sheepexplode
I got two emails (one with a zipped attachment one with a .cmd attached) @ work allready... they are usually right on this stuff, so it kinda suprised me to get it at work
--
Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  reply to TxKent
Moosoft mentions it!
Date: Mon, 26 Jan 2004 16:21:37 -0700
From: moosoftnews@moosoft.com
To: moosoftnews@moosoft.com
Subject: [News] Breaking News
There is a very nasty new email worm spreading rapidly. This Mimail variant arrives as both a zip and a plain screen saver. As always, do not open these! Delete them immediately.
Some of the emails have text like this:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
or
The message contains Unicode characters and has been sent as a binary attachment.
You should update The Cleaner definitions via MooLive or at
»www.moosoft.com/products/cleaner/update/
It is also being called: MiMail.R, Mydoom, Shimg, and Novarg but they are
all the same.
Daniel Otis-Vigil
MooSoft Development
»www.moosoft.com
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
miketavares
join:2000-12-10
North Dighton, MA | reply to TxKent
Re: High-Outbreak Threat Alert for W32/Mydoom@MM - NAI
anyone know the names of the zip file? or is just random?
--
I was here |
|
TxKent
Premium
join:2001-05-18
Pflugerville, TX | I'm told it's just random... |
|
Tablet
Premium
join:2003-01-15
Czech | reply to TxKent
Re: High-Outbreak Threat Alert for W32/Mydoom@MM -
AVG already detects this nasty with the latest update..
see here: »Re: Security Software Updates 26 Jan 2004 |
|
haertig
join:2000-12-31
Broomfield, CO | reply to miketavares
I received a "file.zip" in the first one I got. I didn't look closely at all the others I've received since then ... I don't know the filename included in them. Funny, at work - gobs of these. At home, not a one. |
|
CatSnak
RIP Splashy - We miss you
Premium
join:2001-05-06
Lakeside, CA | reply to TxKent
Re: High-Outbreak Threat Alert for W32/Mydoom@MM - NAI
Has anyone figured out what this thing does yet?
My boss has received a ton of emails containing this one.
Of course our symantic software is server driven and so far no updates are available for servers, only for the clients. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| reply to haertig
Re: High-Outbreak Threat Alert for W32/Mydoom@MM -
said by haertig :
I received a "file.zip" in the first one I got. I didn't look closely at all the others I've received since then ... I don't know the filename included in them. Funny, at work - gobs of these. At home, not a one.
Weird, I got my first one. It was files.exe, not .zip.
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to TxKent
KAV detects it as I-Worm.Novarg with the latest update available via KAV updater..
See Schouw 's post: »Re: Security Software Updates 26 Jan 2004 |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| reply to CatSnak
Re: High-Outbreak Threat Alert for W32/Mydoom@MM - NAI
said by CatSnak :
Has anyone figured out what this thing does yet?
Regular crap like mailing itself to address book, remote access server (for instructions to spam and/or DDoS or system access) and - as kpatz pointed out - apparently a DoS engine directed at SCO(resource starvation not SYN flood).
Pretty boring stuff.
rgds.
|
|
miketavares
join:2000-12-10
North Dighton, MA
| reply to TxKent
well I needed an excuse to block ZIP files, and with this randomly generating them, I have now blocked *.zip (for the time being anyway). I am sure I will have to deal with the backlash of the users in the morning.
--
I was here |
|
phriday613
Your Avatar Is Nice... For Me To Poop On
Premium
join:2002-02-06
Eastchester, NY
clubs: | reply to TxKent
any way how i can block .zip files on exchange 2000?? sorry for the noobish post.. |
|
