ALERT: Extra caution with attachments! Thread poster: CHENOUMI (X)
|
|---|
CHENOUMI (X) 
English to French
+ ...
As you may know, the Mydoom worm has been rampaging the Internet since yesterday.
Emails carrying it often look like they may be coming from your ISP with subject lines such as "test" or "Server Report" or even "Delivery Status Notification (Failure)," and more. Some even come from addresses you know or domains you are familiar with and a "Hi" or "Hello" in the subject line.
The attachment is around 20K in size; total message, around 32K.
Opening it with a ... See more As you may know, the Mydoom worm has been rampaging the Internet since yesterday.
Emails carrying it often look like they may be coming from your ISP with subject lines such as "test" or "Server Report" or even "Delivery Status Notification (Failure)," and more. Some even come from addresses you know or domains you are familiar with and a "Hi" or "Hello" in the subject line.
The attachment is around 20K in size; total message, around 32K.
Opening it with a PC will weakens your machine's security and spreads the worm. Please read this interesting article from CNet about the spread and virulence of that latest threat at the following address:
http://news.com.com/2100-7349-5148347.html?part=dht&tag=ntop.
Surf safely!
Sandra:)
[Edited at 2004-01-28 07:45] ▲ Collapse
| | | | CHENOUMI (X)
English to French
+ ...
TOPIC STARTER | Additional info. | Jan 28, 2004 |
Some more info on this worm. It may contain the following:
· Message:
· (one of the following)
· Mail transaction failed. Partial message is available.
· The message contains Unicode characters and has been sent as a
binary attachment.
· The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
Subject:
(one of the following)
· test
�... See more Some more info on this worm. It may contain the following:
· Message:
· (one of the following)
· Mail transaction failed. Partial message is available.
· The message contains Unicode characters and has been sent as a
binary attachment.
· The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
Subject:
(one of the following)
· test
· hi
· hello
· Mail Delivery System
· Mail Transaction Failed
· Server Report
· Status
· Error
· Attachment:
· (one of the following)
· document
· readme
· doc
· text
· file
· data
· test
· message
· body
with .pif, .exe, .doc, .zip, .cmd, .scr, .bat. Example: document.zip ▲ Collapse
| | | | chance (X)
French to Chinese
+ ...
| Be careful ! | Jan 28, 2004 |
Yesterday and Today, I got and am still getting dozens of this kind of mails. Fortunately, the anti-virus “Bit Defender” stopped them all, in indicating that they are infected by Win32.Novarg.A@mm.
| | | | CHENOUMI (X)
English to French
+ ...
TOPIC STARTER
chance wrote: Yesterday and Today, I got and am still getting dozens of this kind of mails. Fortunately, the anti-virus “Bit Defender” stopped them all, in indicating that they are infected by Win32.Novarg.A@mm.
As a matter of principle, I never open any attachment from unknown senders...
Merci !:)
[Edited at 2004-01-28 11:02]
| | |
|
|
|
| Some more information about the mydoom worm | Jan 29, 2004 |
This is what I got from the magazine "About.com computer":
Url:http://65.54.168.250/cgi-bin/linkrd?_lang=DE&lah=d6f3bfae3eb942eb36f0ef9d80b53c7a&lat=1075333413&hm___action=http://slclk.about.com/?zi=1/Iqg
Worm spells MyDoom for SCO
And uses antivirus software to DoS users
Jan 28 2004
Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, a worm discovered on January 26th, 2004 has created a headache for users. The worm spoofs the From a... See more This is what I got from the magazine "About.com computer":
Url:http://65.54.168.250/cgi-bin/linkrd?_lang=DE&lah=d6f3bfae3eb942eb36f0ef9d80b53c7a&lat=1075333413&hm___action=http://slclk.about.com/?zi=1/Iqg
Worm spells MyDoom for SCO
And uses antivirus software to DoS users
Jan 28 2004
Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, a worm discovered on January 26th, 2004 has created a headache for users. The worm spoofs the From address, causing lots of innocent folks to be blamed for sending the worm. The fact is, the one person who is most likely not to be infected is the person's whose name appears in the From field of the email.
Worse, antivirus alerts are once again contributing to the mess. As was the case with Sobig.F, the vendor alerts have become part of the Mydoom problem.
The alerting problem begans when one of the infected emails is detected by the ISP or domain antivirus solution. The antivirus software, depending on the administrator's configuration, may then send an alert to the recipient and to the alleged sender. Of course, when the sender name is falsified, this means innocent folks are accused of sending a virus when in fact they are not the infected party. The confusion and chaos only gets worse. Many of these antivirus products will send the actual infected message to this alleged sender. Meaning they have now received the virus. If they open the email and the attachment to see what it is they supposedly sent, they then risk becoming infected. The volume of erroneous antivirus alerts is so high, it is quickly outpacing the number of actual Mydoom emails. In fact, some contend that the antivirus alerts are themselves a form of DoS (Denial of Service) attack.
Using antivirus software to DoS email users is not the only trick up Mydoom's sleeve. The worm also launches a Distributed Denial of Service (DDoS) attack against the well-known UNIX vendor, SCO.com. Every second from every infected computer worldwide, the Mydoom (a.k.a. Mimail.R) sends a GET request to the website in an apparent attempt to overload the webserver.
Much controversy has surrounded SCO after claiming last December that the Linux operating system was violating their intellectual property rights in UNIX. "There are a lot of kids out there who feel like SCO's attacking them", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok attack back."
The Mydoom worm spreads via email and the P2P network KaZaA. The email message composed by the worm has a spoofed Sender name and the Subject will be one of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
The text of the email will be either:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- or -
The message contains Unicode characters and has been sent as a binary attachment.
- or -
Mail transaction failed. Partial message is available.
The attachment will have either an EXE, CMD, PIF, or SCR extension, or it may be a ZIP archive, and will have one of the following filenames:
document
readme
doc
text
file
data
test
message
body
The attachment's icon may appear to be an icon normally associated with a TXT file, despite the fact that the attachment itself is an executable. To mask its intentions, when executed the worm first launches Notepad, filling the page with random text. Behind the scenes, the worm drops a copy of itself to the Windows System folder (usually C:\Windows\System) as taskmon.exe. This has caused some confusion among Windows 95/98/ME users, as there is a legitimate file named taskmon.exe, but that file resides in the C:\Windows folder, not C:\Windows\System.
Mydoom also searches the System Registry to determine if KaZaA is installed and, if so, what directory is being shared by the user. It then drops a copy of itself to the shared KaZaA folder using one of the following names and a BAT, PIF, SCR, or EXE extensions:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
This allows the worm to infect KaZaA users who download and execute one of the infected files, causing further spread on the P2P network. To spread via email, the Mimail.R (a.k.a. Mydoom) worm harvests addresses from WAB, ADB, TBB, DBX, ASP, PHP, SHT, HTM, and TXT files found on the infected system. The worm code also contains text strings which it can use to randomly create addresses if no other addresses are found.
The worm also creates the file shimgapi.dll in the Windows\System directory, registering this file as a child process of EXPLORER.EXE. Shimgapi.dll opens and listens on ports 3127 through 3198. This backdoor could be used to download further malicious code to the system.
Take care and good luck,
N.Raghavan ▲ Collapse
| | | | percebilla
Local time: 12:51
Spanish to English
+ ...
| ProZ e-mail? | Jan 29, 2004 |
thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I awai... See more thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I await with baited breath... ▲ Collapse
| | | | Monika Coulson
Local time: 04:51
Member (2001)
English to Albanian
+ ...
SITE LOCALIZER | It is spoofed most likely | Jan 29, 2004 |
Dear Percebilla,
the email heading was probably spoofed. You may have received a virus from a ProZ.com user who might be infected. The ProZ.com address (troy or [email protected]) was spoofed. This is very common for this virus and for other viruses in general. If you get an attachment in an email apparently from ProZ.com, don't open it. If you did not open the attachement, then I do not believe your computer is infected.
Good luck,
Monika
percebilla wrote:
thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I await with baited breath...
| | | | CHENOUMI (X)
English to French
+ ...
TOPIC STARTER | No, I have not. | Jan 29, 2004 |
percebilla wrote:
thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I await with baited breath...
No percebilla, I have not received such emails from ProZ.com. Please bear in mind that email notifications we receive from ProZ do not come with attachments.
Monika did a good job explaining the details. Hope you solve your problem soon.
¡Hasta pronto y le deseo la bienvenida entre nosotros!
| | |
|
|
|
CHENOUMI (X)
English to French
+ ...
TOPIC STARTER | Thank you, Narasimhan | Jan 29, 2004 |
for this wealth of info!
Narasimhan Raghavan wrote:
This is what I got from the magazine "About.com computer":
Url:http://65.54.168.250/cgi-bin/linkrd?_lang=DE&lah=d6f3bfae3eb942eb36f0ef9d80b53c7a&lat=1075333413&hm___action=http://slclk.about.com/?zi=1/Iqg
Worm spells MyDoom for SCO
And uses antivirus software to DoS users
Jan 28 2004
Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, a worm discovered on January 26th, 2004 has created a headache for users. The worm spoofs the From address, causing lots of innocent folks to be blamed for sending the worm. The fact is, the one person who is most likely not to be infected is the person's whose name appears in the From field of the email.
Worse, antivirus alerts are once again contributing to the mess. As was the case with Sobig.F, the vendor alerts have become part of the Mydoom problem.
The alerting problem begans when one of the infected emails is detected by the ISP or domain antivirus solution. The antivirus software, depending on the administrator's configuration, may then send an alert to the recipient and to the alleged sender. Of course, when the sender name is falsified, this means innocent folks are accused of sending a virus when in fact they are not the infected party. The confusion and chaos only gets worse. Many of these antivirus products will send the actual infected message to this alleged sender. Meaning they have now received the virus. If they open the email and the attachment to see what it is they supposedly sent, they then risk becoming infected. The volume of erroneous antivirus alerts is so high, it is quickly outpacing the number of actual Mydoom emails. In fact, some contend that the antivirus alerts are themselves a form of DoS (Denial of Service) attack.
Using antivirus software to DoS email users is not the only trick up Mydoom's sleeve. The worm also launches a Distributed Denial of Service (DDoS) attack against the well-known UNIX vendor, SCO.com. Every second from every infected computer worldwide, the Mydoom (a.k.a. Mimail.R) sends a GET request to the website in an apparent attempt to overload the webserver.
Much controversy has surrounded SCO after claiming last December that the Linux operating system was violating their intellectual property rights in UNIX. "There are a lot of kids out there who feel like SCO's attacking them", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok attack back."
The Mydoom worm spreads via email and the P2P network KaZaA. The email message composed by the worm has a spoofed Sender name and the Subject will be one of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
The text of the email will be either:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- or -
The message contains Unicode characters and has been sent as a binary attachment.
- or -
Mail transaction failed. Partial message is available.
The attachment will have either an EXE, CMD, PIF, or SCR extension, or it may be a ZIP archive, and will have one of the following filenames:
document
readme
doc
text
file
data
test
message
body
The attachment's icon may appear to be an icon normally associated with a TXT file, despite the fact that the attachment itself is an executable. To mask its intentions, when executed the worm first launches Notepad, filling the page with random text. Behind the scenes, the worm drops a copy of itself to the Windows System folder (usually C:WindowsSystem) as taskmon.exe. This has caused some confusion among Windows 95/98/ME users, as there is a legitimate file named taskmon.exe, but that file resides in the C:Windows folder, not C:WindowsSystem.
Mydoom also searches the System Registry to determine if KaZaA is installed and, if so, what directory is being shared by the user. It then drops a copy of itself to the shared KaZaA folder using one of the following names and a BAT, PIF, SCR, or EXE extensions:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
This allows the worm to infect KaZaA users who download and execute one of the infected files, causing further spread on the P2P network. To spread via email, the Mimail.R (a.k.a. Mydoom) worm harvests addresses from WAB, ADB, TBB, DBX, ASP, PHP, SHT, HTM, and TXT files found on the infected system. The worm code also contains text strings which it can use to randomly create addresses if no other addresses are found.
The worm also creates the file shimgapi.dll in the WindowsSystem directory, registering this file as a child process of EXPLORER.EXE. Shimgapi.dll opens and listens on ports 3127 through 3198. This backdoor could be used to download further malicious code to the system.
Take care and good luck,
N.Raghavan
| | | | percebilla
Local time: 12:51
Spanish to English
+ ...
| thank you a million | Jan 29, 2004 |
many many thanks for the rapid replies from Monika ,Chenoumi and Raghavan. I will show these replies to my son who will no doubt also be grateful for all the tips and explanations. In future I will refrain from opening such letters and keep my fingers crossed I´ ve not done anything irrepaparable. Thanks again. It´s consoling to find such helpful people on this site.
| | | | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » ALERT: Extra caution with attachments! | Trados Business Manager Lite | Create customer quotes and invoices from within Trados Studio
Trados Business Manager Lite helps to simplify and speed up some of the daily tasks, such as invoicing and reporting, associated with running your freelance translation business.
More info » |
| | Protemos translation business management system | Create your account in minutes, and start working! 3-month trial for agencies, and free for freelancers!
The system lets you keep client/vendor database, with contacts and rates, manage projects and assign jobs to vendors, issue invoices, track payments, store and manage project files, generate business reports on turnover profit per client/manager etc.
More info » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
