[SECURITY-L] CAIS-Alerta: Propagacao do virus Novarg.A/Mydoom
Security Team - UNICAMP
security em unicamp.br
Qua Jan 28 09:16:29 -02 2004
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Propagacao do virus Novarg.A/Mydoom
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 27 Jan 2004 10:01:19 -0200 (BRDT)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o "CERT Incident Note IN-2004-01, W32/Novarg.A
Virus", que trata da propagacao do virus denominado W32/Novarg.A ou
W32/Mydoom.
O virus possui tres caracteristicas importantes:
. Abre uma porta TCP no intervalo 3127-3198 o que sugere a capacidade de
acesso remoto aos sistemas comprometidos.
. Deixa uma copia no diretorio "C:\Program Files\KaZaA\My Shared Folder\"
que pode ser acessada por usuarios de aplicativos P2P com nomes sugestivos
(ex: winamp5, icq2004-final, activation_crack,
strip-girl-2.0bdcom_patches, rootkitXP, office_crack, nuke2004.
. Esta' programado para realizar um ataque de negacao de servico contra o
site SCO.COM.
Alguns dos possiveis subjects que constam nas mensagens enviadas pelo
virus sao:
. test
. hi
. hello
. Mail Delivery System
. Mail Transaction Failed
. Server Report
. Status
. Error
A maioria das mensagens possui um arquivo em anexo com os seguintes nomes
e extensoes:
. document
. readme
. doc
. text
. file
. data
. test
. message
. body
.bat, .cmd, .exe, .pif, .scr, .zip
O corpo da mensagem pode incluir os seguintes conteudos:
"The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment."
"The message contains Unicode characters and has been sent as a binary
attachment."
"Mail transaction failed. Partial message is available."
Maiores informacoes sobre o W32/Novarg.A podem ser encontradas nas URLs
abaixo:
http://www.cert.org/incident_notes/IN-2004-01.html
http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R
http://us.mcafee.com/virusInfo/default.asp?id=mydoom
http://www.f-secure.com/v-descs/novarg.shtml
http://www.sophos.com/virusinfo/analyses/w32mydooma.html
http://www3.ca.com/virusinfo/virus.aspx?ID=38102
O CAIS recomenda fortemente a todos os usuarios que mantenham seus
antivírus sempre atualizados, com frequencia diaria ou de forma
automatica; nao abram anexos de qualquer especie sem antes analisa´-los
com um antivirus, se certificando sempre da autenticidade do endereco de
origem do e-mail.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
CERT® Incident Note IN-2004-01
The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
W32/Novarg.A Virus
Release Date: January 27, 2004
Overview
The CERT/CC has been receiving reports of a new mass-mailing virus known
as W32/Novarg.A, W32/Shimg, or W32/Mydoom that has been reported to open a
backdoor to the compromised system and possibly launch a denial-of-service
attack against a web site at a fixed time in the future.
Description
The W32/Novarg.A virus attempts to do the following:
* Modify various Windows registry values so that the virus is run
again upon reboot
* Open a listening TCP port in the range of 3127-3198, suggesting
remote access capabilities
* Install a copy of itself in the C:\Program Files\KaZaA\My Shared
Folder\ folder, which will be available for download by KaZaA users
The virus arrives as an email message with a 22,528-byte attachment that
has a random filename with a file extension of .cmd, .pif, .scr, .exe, or
.bat. The attachment may also arrive as a ZIP archive.
Some messages containing the virus have had the following characteristics:
Subject: <random>
From: <spoofed>
To: <email address>
Body:
(The body has been reported to contain one of the following three
messages.)
"The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment."
"The message contains Unicode characters and has been sent as a binary
attachment."
"Mail transaction failed. Partial message is available."
In addition to the backdoor capabilities, the virus is also believed to
have the capability to launch a distributed denial-of-service attack
against a specific web site beginning on February 1, 2004. As with other
malicious code having mass-mailing capabilities, W32/Novarg.A may cause
"collateral" denial-of-service conditions in networks where either (a)
multiple systems are infected, or (b) large volumes of infected mail are
received.
The CERT/CC is continuing to analyze the malicious code and we will update
this Incident Note as more information is confirmed.
Anti-virus vendors have developed signatures for W32/Novarg.A:
http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R
http://us.mcafee.com/virusInfo/default.asp?id=mydoom
http://www.f-secure.com/v-descs/novarg.shtml
http://www.sophos.com/virusinfo/analyses/w32mydooma.html
http://www3.ca.com/virusinfo/virus.aspx?ID=38102
Solutions
In addition to following the steps outlined in this section, the CERT/CC
encourages home users to review the "Home Network Security" and "Home
Computer Security" documents.
Run and maintain an anti-virus product
While an up-to-date antivirus software package cannot protect against all
malicious code, for most users it remains the best first-line of defense
against malicious code attacks. Users may wish to read IN-2003-01 for more
information on anti-virus software and security issues.
Most antivirus software vendors release frequently updated information,
tools, or virus databases to help detect and recover from malicious code,
including W32/Novarg.A. Therefore, it is important that users keep their
antivirus software up to date. The CERT/CC maintains a partial list of
antivirus vendors.
Many antivirus packages support automatic updates of virus definitions.
The CERT/CC recommends using these automatic updates when available.
Do not run programs of unknown origin
Never download, install, or run a program unless you know it to be
authored by a person or company that you trust. Email users should be wary
of unexpected attachments, while users of Internet Relay Chat (IRC),
Instant Messaging (IM), and file-sharing services should be particularly
wary of following links or running software sent to them by other users
since these are commonly used methods among intruders attempting to build
networks of distributed denial-of-service (DDoS) agents.
Filter network traffic
Reports to CERT/CC indicate that the virus opens a listening TCP port in
the range of 3127-3198. Sites should consider blocking both inbound and
outbound traffic to these ports, depending on network requirements, at the
host and network level.
If access cannot be blocked for all external hosts, the CERT/CC recommends
limiting access to only those hosts that require it for normal operation.
As a general rule, the CERT/CC recommends filtering all types of network
traffic that are not required for normal operation.
Recovering from a system compromise
If you believe a system under your administrative control has been
compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC is tracking activity related to this worm as CERT#25304.
Relevant artifacts or activity can be sent to cert em cert.org with the
appropriate CERT# in the subject line.
Authors: Marty Lindner, Damon Morda, and Chad Dougherty
This document is available from:
http://www.cert.org/incident_notes/IN-2004-01.html
CERT/CC Contact Information
Email: cert em cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from our
web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins, send
email to majordomo em cert.org. Please include in the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied as
to any matter including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2004 Carnegie Mellon University.
Revision History
January 27, 2004: Initial Release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQBZTFukli63F4U8VAQG04gP/WjFf00pOouBM54+j016cE0Y3BYWMPUJA
Acw/6EHGA2IlwLN+3sQFE0zXR++pfR2fqclist2oDcayjOOtFQbknNdLyLO6NQ1X
mNCSW1/aHZMSXclLtnpF7EIvgfo1Z8Cuv8VNkhLlBfXgiFKZDZAnj9YrycBN+YN4
oWjXDbEvUDg=
=pFpI
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L