We have reports of a new worm called Novarg.A (also known as Mydoom, Mimail.R and Shimg) which is in the wild, i.e., reported to be infecting a wide number of computers. This worm arrives as an email attachment and requires users to run the executable. The worm spoofs the email sender and the executable is usually compressed inside a zip file. It also launches a Denial of Service attack on www.sco.com and opens a backdoor on the infected computers.
Subject line:
Randomly chosen from the following list:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message body:
The message body can either be random characters or one of the following strings:
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment filename:
document
readme
doc
text
file
data
test
message
body
with one of the following extensions:
exe, pif, scr, bat, com
Attachment size:
22528 bytes
If the user runs the executable (which can be inside the ZIP file email attachment), the worm sends infected emails to addresses found in wab, adb, tbb, dbx, asp, php, sht, htm and txt files. Its also been reported that the worm contains strings, which it uses to randomly create or guess email addresses. Novarg.A also uses its own SMTP routines for propagation therefore bypassing normal Outlook security.
Novarg.A's behaviour changes on the February 1st or later from a mass mailing worm to initiating a Denial of Service attack on www.sco.com. Infected machines will also have a backdoor listening on ports 3127 to 3198. It has been suggested that the backdoor acts as a proxy server and also has the ability to download and execute arbitary files.
Avoidance Action:
Make sure your virus definition files are up-to-date. Block all incoming and outgoing .exe, .pif, .com, .scr files.
Note on the importance of a Trojan and Executable Scanner: Because anti-virus software is signature-based, it can only detect known viruses and Trojans, and is therefore unable to detect viruses such as the Mydoom as soon as they are released. GFI MailSecurity's Trojan and Executable Scanner takes a different approach; rather than relying on signatures, it uses built-in intelligence to rate an executable’s risk level. It does this by disassembling the executable, detecting in real time what it might do, and comparing its actions to a database of malicious actions. This way, GFI MailSecurity can detect unknown viruses and Trojans before they enter the network - and before anti-virus engine vendors have issued signatures against them.
How does the GFI Trojan and Executable scanner catch this new worm?
The Trojan and Executable scanner feature within GFI MailSecurity for Exchange/SMTP is able to catch Novarg.A since it infringes the "CheckUPX" rule. This means that the worm is compressed using a UPX packer and indicates that such an executable might be actually malicious.
Note on MyDoom.B: MyDoom.B, a variant of Novarg (MyDoom.A) is also being caught by GFI MailSecurity's Trojan and Executable Scanner. MyDoom.B is caught because it too infringes the scanner's "CheckUPX" rule. This worm will also be caught using the latest virus definition files.
For more updated information: http://www.gfi.com/security
References:
http://www.norman.com/virus_info/w32_mydoom_a_mm.shtml
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=185
http://vil.nai.com/vil/content/v_100983.htm
http://www.viruslist.com/eng/viruslist.html?id=841769
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong, and Adelaide which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners throughout the world. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.
| 
Products
