Ouais ben je sais pas ou city a péché l'info mais elle est incomplète....
Allez up autres infos
**********************************************
This press release comes from F-Secure. For more information on F-Secure's mailing list policy, see end of message.
PRESS RELEASE
For release January 27, 2004
New "Mydoom" worm launching a world-wide attack
F-Secure is warning email users around the world about a new Windows worm which is spreading rapidly. The new worm, known as Mydoom or Novarg, is spreading through email attachments and Kazaa file sharing networks.
The worm has launched a world-wide denial-of-service attack from every infected computer against the website of SCO, one of the largest Unix vendors in the world. However, the
http://www.SCO.COM site seems to be still operational.
There's been a lot of discussion about SCO after they claimed last December that the Linux operating system was violating SCO's intellectual property rights in UNIX technology. "There are a lot of kids out there who feel like SCO's attacking them", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok attack back."
In addition of the denial-of-service attack, the worm also opens up a backdoor to infected computers by listening to TCP port 3176. This way the worm author can gain access to infected computers afterwards.
The emails sent by the worm are fairly random:
From: <random email address>
To: <address of the recipient>
Subject: <random words>
Message body: (several different mail error messages, such as:)
Mail transaction failed. Partial message is available.
Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.
When a user clicks on the attachment, the worm will start Notepad, filled with random characters and it will immediately start to spread further.
Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/novarg.shtml
F-Secure Anti-Virus can detect and stop the Mydoom worm. F-Secure Anti-Virus can be downloaded from
http://www.f-secure.com
F-Secure will also be releasing a free tool which can be used to remove Mydoom from infected systems.
About F-Secure
F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company's award-winning products include antivirus and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North American headquarters in San Jose, California, as well as offices in France, Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licencing and distribution agreements, the company's security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia.
F-Secure Corporation
Mr. Mikko Hypponen, Director, Anti-Virus Research PL 24
FIN-00181 Helsinki
Tel +358 9 2520 5513
Fax +358 9 2520 5001
E-mail:
mikko.hypponen@f-secure.com
**************************************************
**************************************************
1. Novarg: New Worm - New Epidemic
Kaspersky Labs, a leading information security software developer has detected that a dangerous new Internet worm, Novarg (also known as Mydoom). In just a few hours this malicious program caused a global epidemic, infecting approximately 300 thousand computers throughout the world. This incident is the most serious outbreak so far this year, and shows every sign of breaking replication records set in 2003.
An explosion in malicious program activity undoubtedly points to serious preparations made by virus writers. This included the creation of a network of infected computers; when the number of computers in the network reached critical mass a command was sent to mail out Novarg.
This is the same approach used previously by the email worm Sobig.F
Detailed analysis of the geographic spread of the worm leads to the assumption that Novarg was created in Russia.
Prevention, diagnosis and protection
Novarg spreads via the Internet in two ways: via email and via the KaZaA file-sharing network.
Infected messages have a random, falsified sender's address, 8 possible message headers, 18 possible attachment names and 5 possible extensions to attached files. Additionally, the worm spreads in messages where the message header, message body and attachment name contain a nonsensical collection of random characters. Such variability makes it far more difficult for users to independently identify infected messages.
Novarg appears in the KaZaA network under various names, including winamp5, icq2004-final and with various extensions, such as bat, exe, scr, pif and others.
If a user is thoughtless enough to launch the infected file, either from an email or downloaded from the KaZaA network Novarg initiates installation procedures and propagation routines.
Immediately after being launched Novarg opens a Notepad window which shows a series of random characters.
At the same time Novarg creates two files in the Windows folder:
taskmon.exe (the worm carrier) and shimgapi.dll (a Trojan program to remotely control the infected machine). The worm registers these files in the system registry auto run key to ensure that the malicious program is activated every time the computer is restarted.
Novarg then initiates its propagation routine. The worm scans the disk for email addresses (files with extensions such as htm, wab, txt and
others) and, unbeknownst to the user, sends infected emails to these addresses. In addition, Novarg checks whether or not the infected machine is connected to the KaZaA network: if a connection is open, the worm copies itself into the public folder for file exchange.
Novarg carries a very dangerous payload. Firstly, the worm installs a proxy server on the infected computer. Malefactors can then use this module in spamming or in mass-mailing new versions of the malicious program.
Secondly, Novarg installs a backdoor (a utility for unauthorized remote
control) thus allowing the virus writer to control the infected machine.
The backdoor makes it possible to steal, change or delete data, install third-party programs and so forth.
Thirdly, Novarg contains an inbuilt module for organizing a DoS attack on
http://www.sco.com. This module will be activated between 1st February and 12th February 2004. During this period all infected machines will query this site, which may cause it to crash.
"The danger of the integration of virus and spam technologies to create united, dedicated networks for cyber-criminals is becoming a reality. We have detected two malicious programs within the first two days of this week that illustrate this trend", comments Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Labs, "This problem may well signal a new era in computer virology in the near future, an era marked by even more frequent and serious outbreaks".
KasperskyR anti-virus databases have already been updated with protection against Novarg.
A detailed description of Novarg is available in theKaspersky Virus Encyclopedia (http://www.viruslist.com/eng/viruslist.html?id=841769).
*********************************************
*********************************************
UN VRAI GROS MECHANT:
*********************************************
Virus News. Monday, January 26, 2004
******************************************************************
1. Don't Believe Your Browser - It Could Be Dumaru
Kaspersky Labs, a leading information security software developer, warns users about three new modifications of Dumaru, an email worm: versions j, k and l. The unusual propagation techniques and high dissemination rate have resulted in infections worldwide, causing a new global outbreak.
Dumaru was first detected in September 2003 and has remained among the most active malicious programs ever since. The original worm was written in Russia, but subsequent versions appears to come from Germany.
The latest versions of Dumaru contain only minor modifications. However, the multi-tier propogation method used to disseminate the malicious program has caused a worldwide outbreak within a matter of days.
Initial propagation was assured by the mass mailing of a message purportedly originating from Microsoft in which users were offered updates to their virus protection.
In reality, the message contains the Trojan program UrlSpoof. Once the link in the letter is activated, a new Internet window opens onto a Microsoft look-alike web site. Moreover, "UrlSpoof" utilizes a vulnerability in Internet Explorer, which allows the worm to display
http://www.microsoft.com in the address bar, even though the user is actually on another site.
While the user is browsing this site, the victim machine is transformed into a Dumaru carrier and the worm then initiates the mailing process from the new computer.
"This outbreak has once again demonstrated that virus writers and spammers are joining forces", comments Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs, "Viruses are using spamming techniques more and more in order to increase propagation speed, whereas spammers are using viruses to create networks of infected machines for use in mass mailing campaigns".
Kaspersky Labs anti-virus databases have already been updated with protection against the new versions of Dumaru.
A detailed description of these versions of Dumaru can be found in the Kaspersky Virus Encyclopedia (http://www.viruslist.com/eng/viruslist.html?id=836347).
************************************************
ALLEZ C'EST FETE
************************************************
Virus News. Monday, January 26, 2004
******************************************************************
1. Mimail.q: The Return Of A Calculating Email Blackmailer 2. How to subscribe/unsubscribe 3. Security Rules
****
1. Mimail.q: The Return Of A Calculating Email Blackmailer
Kaspersky Labs, a leading information security software developer has detected a new version of the notorious Internet worm Mimail. Mimail.q has a built in encrypted key against anti-virus programs and reports of infections are already coming in. Kaspersky Labs predicts that the outbreak will gain momentum over the next few days and recommends that all users update their anti-virus protection immediately.
Mimail.q spreads via email in messages with varying content (there are about 30 variations) with random attachment names. The worm consists of two components: the dropper (the module which installs the core) and the carrier (the core).
If a user is thoughtless enough to launch the file attached to the infected email, the dropper proceeds to open a window with a fake error message. The dropper copies itself into the Windows registry under the name sys32.exe and registers itself in the system registry auto run key.
Finally, the dropper unpacks the main component, a file named outlook.exe and launches it in order to execute it.
The most important modification in Mimail.q are the polymorphic encryption keys inbuilt to fool anti-virus programs. Every time the infected machine is restarted Mimail.q changes the encryption key so that the copies of itself that Mimail sends look different every time.
This means that anti-virus programs must have a decryption routine in order to contend with Mimail.q successfully.
The main component of the worm performs several functions at once.
Firstly, it sends copies of Mimail.q by scanning the contents of disks and extracting email addresses. Infected messages are then sent to these addresses by using the inbuilt mailing mechanism.
Secondly, the main component opens the infected computer to the creator of the worm using ports 80, 1433, 1434, 3000, and 6667. The worm receives commands via these ports and sends information about the execution of these commands to a variety of public email system addresses.
Thirdly, Mimail.q gathers information about PayPal and E-Gold accounts on the computer in exactly the same way as previous versions of Mimail do, and sends the information needed to access these accounts to the addresses mentioned above.
Finally, the worm's code contains the following text, which is addressed to public email services as a threat if email addresses used by Mimail.q should be closed by the service provider.
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version.
WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***
Protection against Mimail.q using a decryption routine has already been added to the Kaspersky Anti-Virus databases.
A fuller description about this malicious program can be found in the Kaspersky Virus Encyclopedia (http://www.viruslist.com/eng/alert.html?id=836443).
Systèmes et Logiciels Windows