|
|
| Warning: Spy Virus Spreading [message #64038] |
Fri, 30 January 2004 00:42   |
 |
Xtrm2Matt
Messages: 1318
Registered: February 2003
Location: England, UK
Karma: 0
|
General (1 Star) |
|
|
This virus is also known as "MyDoom".
| Quote: |
Why We Are Issuing This Alert
At 9:00 A.M. Pacific Time on Wednesday, January 28, 2004, Microsoft began investigating reports of a variant of a new worm named "Mydoom" or "Novarg," known as Mydoom.B. This variant reportedly blocks access to some websites, including some Microsoft.com websites. The worm attempts to entice e-mail recipients into opening a message that has a file attachment. If the attached file is opened, the worm installs malicious code on the computer user's system and sends itself to all contacts in the user's address book.
|
http://www.microsoft.com/security/antivirus/mydoom.asp
Also, Symantec have made a tool to quickly remove this virus from your PC. They call it the "W32.Novarg.A@mm Removal Tool".
| Quote: |
The W32.Novarg.A@mm Removal Tool does the following:
Terminates the W32.Novarg.A@mm viral processes.
Terminates the viral thread running under Explorer.exe.
Deletes the W32.Novarg.A@mm files.
Deletes the registry values added by the worm.
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html
And if your not sure if you have the virus, then do this:
| Quote: |
If you use Windows XP
To find out if a computer is infected, do the following:
Click Start, and then click Search.
In the What do you want to search for? box, click All files and folders.
In the All or part of the file name box, type ctfmon.dll. If that file exists on the computer, the computer is infected with Mydoom.B, and you need to follow the steps below. Otherwise, the computer is not infected with that variant of the virus.
If you use Windows 2000 or Windows NT 4.0
To check for the worm yourself, do the following:
Click Start, and then click Run.
In the Open box, type cmd
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor, type dir ctfmon.dll /a /s and then press ENTER.
Wait a few moments:
If the results show File Not Found, the computer is not infected with Mydoom.B.
If you use Windows 98 or Windows 95
Click Start, and then click Run.
In the Open box, type command
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor, type dir ctfmon.dll /a /s and then press ENTER.
Wait a few moments:
If the results show File Not Found, the computer is not infected with Mydoom.B.
|
If any of the above actions actually find this .DLL file, i strongly advise you use the "W32.Novarg.A@mm Removal Tool" OR the steps below:
What to Do If Your Computer Is Infected
If your computer is infected, first try going to the website of your antivirus-software vendor to get the latest updates and information. If you are unable to access your antivirus-software vendor's site and need to fix the infection yourself, follow these steps:
| Quote: |
Click Start, and then click Run.
In the Open box, type cmd.
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor and:
Type del /F %systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type echo # Temporary HOSTS file >%systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type attrib +R %systemroot%\system32\drivers\etc\hosts
Press ENTER.
After typing these commands, do one of the following:
If you use Windows NT 4.0, restart your computer.
If you use Windows XP or Windows 2000, do not restart your computer.
Instead, do the following:
Type ipconfig /flushdns
Press ENTER.
|
Hope this helps 
http://www.OpticalGaming.com || irc.OpticalGaming.com
|
|
|
|
|
|
|
|
|
|
| Warning: Spy Virus Spreading [message #64046] |
Fri, 30 January 2004 03:30 |
 |
England
Messages: 618
Registered: February 2003
Location: High Wycombe, England
Karma: 0
|
Colonel |
|
|
Keep this in mind
If you didnt ask for it, dont open it.
I have about 100+ emails containing this bullshit virus.
In the end it doesn't matter if you are who you say you are. You will still mean nothing to me.
When i have kids, everytime i drive past a fast food restaurant, im gonna punch my kid in the face, then they'll never wanna come..
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Misconceptions [message #64060] |
Fri, 30 January 2004 06:59 |
 |
HeXetic
Messages: 8
Registered: November 2003
Location: Toronto, Canada
Karma: 0
|
Recruit |
|
|
A couple of misconceptions to clear up.
- MyDoom "works" because it looks like a ZIP file - not the more recognizeable EXE or BAT or VBS or COM or SCR etc. files - to the unfortunate shmuck who gets it in the mail. My own dad double-clicked on it even though I've told him in the past not to do stuff like that (happily, he doesn't have administrative privileges on the computer, so the virus couldn't actually do anything).
- The "from" address in pretty much all virus and spam e-mails is forged. If the mail says it's "FROM: hexetic@planetcnc.com" it was probably sent from a 286 in the mountains of Tibet. Various schemes are used to come up with the fake return address; sometimes it's random, sometimes the viruses use previously harvested e-mail addresses. It's all just to make the virus look a little more real and *also* create more havoc by generating throusands of "bounce" messages (sent by the mailserver when a mesage can't be delivered) or "returned mail" messages (sent by the mailserver when it thinks the e-mail has a virus - of course the guy to whom the mailserver returns the mail is almost certainly not the guy who's infected).
- The #1 best way to improve your safety if you use Outlook Express is to get a virus scanner. All of them are good, provided you get the updates and configure the virus scanner to either clean or delete infected attachments; unfortunately the default action is often "try to clean" (which fails if there's nothing to clean i.e. the file is 100% virus) then pass. I prefer Trend PC-Cillin (comes free with a lot of motherboards) myself. The #2 best way to improve your safety is to turn off the Preview Pane, which is The Root Of All Evil - View->Layout->Preview Pane.
- MyDoom doesn't automagically infect you if you open the e-mail, thank goodness. You have to actually double-click on the attachment to get whacked.
- If you run with User or Power User privileges only (Win2K and WinXP), then you can't get infected as you don't have the ability to install programs - including viruses like MyDoom.
Co-Director
Planet Command & Conquer
http://www.planetcnc.com/
|
|
|
|
|
|
| Re: Misconceptions [message #64153] |
Fri, 30 January 2004 16:59 |
 |
gibberish
Messages: 366
Registered: May 2003
Karma: 0
|
Commander |
|
|
| HeXetic |
A couple of misconceptions to clear up.
- If you run with User or Power User privileges only (Win2K and WinXP), then you can't get infected as you don't have the ability to install programs - including viruses like MyDoom.
|
Although I would recommend only running with the priviledges you need to do your every day stuff.
The worst thing you can do is to become complacent about viruses.
You should never run suspicious files even as an ordinary user.
Unfortunately MS have too many privilege escalation bugs in their OS'es, for me to believe that "I am safe as long as I am not logged on as an administrator".
Just by 2 cents,
Gib
|
|
|
|
|
|
|
|
|
|
|
|
| Warning: Spy Virus Spreading [message #64359] |
Sat, 31 January 2004 14:02 |
 |
IRON FART
Messages: 1989
Registered: September 2003
Location: LOS ANGELES
Karma: 0
|
General (1 Star) |
|
|
Most web services have filters...Use them.
Also if you use Outlook Express, turn off the prieview pane.
|
|
|
|
| WRF???? [message #64439] |
Sat, 31 January 2004 20:28 |
TAKAVAR
Messages: 2
Registered: January 2004
Karma: 0
|
Recruit |
|
|
WTF . i didn't open shit , how did i get it ? i'm TAKAVAR2@yahoo.com
meeh ...
well . i'm going to remove it now . but this is ....
|
|
|
|
| Warning: Spy Virus Spreading [message #64448] |
Sat, 31 January 2004 21:17 |
TAKAVAR
Messages: 2
Registered: January 2004
Karma: 0
|
Recruit |
|
|
ok this is wierd now
northon's anti virus or even the special removal tool for my doom virus didn't detect ANY thing ...
donnu whats going on ...
|
|
|
|
|
|
| Warning: Spy Virus Spreading [message #64468] |
Sat, 31 January 2004 23:42 |
 |
exnyte
Messages: 746
Registered: February 2003
Karma: 0
|
Colonel |
|
|
The reason it was recieved from you is it pulls email addresses from:
| symantec.com |
Searches for the email addresses in the files with the following extensions:
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
|
It uses the email addresses it pulls off of these files to send email to and use as the "from" on those emails.
American Cancer Society | Donate
|
|
|
|
Search
Help
Members
Register
Login
Home
