EPIDEMIJA: Brzosireci crv Novarg!!!

Novarg: New Worm - New Epidemic

A new Internet worm causes a global outbreak

Kaspersky Labs, a leading information security software developer has
detected that a dangerous new Internet worm, Novarg (also known as
Mydoom). In just a few hours this malicious program caused a global
epidemic, infecting approximately 300 thousand computers throughout the
world. This incident is the most serious outbreak so far this year, and
shows every sign of breaking replication records set in 2003.

An explosion in malicious program activity undoubtedly points to serious
preparations made by virus writers. This included the creation of a
network of infected computers; when the number of computers in the
network reached critical mass a command was sent to mail out Novarg.
This is the same approach used previously by the email worm Sobig.F

Detailed analysis of the geographic spread of the worm leads to the
assumption that Novarg was created in Russia.

>>>> Prevention, diagnosis and protection

Novarg spreads via the Internet in two ways: via email and via the KaZaA
file-sharing network.

Infected messages have a random, falsified sender's address, 8 possible
message headers, 18 possible attachment names and 5 possible extensions
to attached files. Additionally, the worm spreads in messages where the
message header, message body and attachment name contain a nonsensical
collection of random characters. Such variability makes it far more
difficult for users to independently identify infected messages.

Novarg appears in the KaZaA network under various names, including
"winamp5", "icq2004-final" and with various extensions, such as bat,
exe, scr, pif and others.

If a user is thoughtless enough to launch the infected file, either from
an email or downloaded from the KaZaA network Novarg initiates
installation procedures and propagation routines.

Immediately after being launched Novarg opens a Notepad window which
shows a series of random characters.

At the same time Novarg creates two files in the Windows folder:
taskmon.exe (the worm carrier) and shimgapi.dll (a Trojan program to
remotely control the infected machine). The worm registers these files
in the system registry auto run key to ensure that the malicious program
is activated every time the computer is restarted.

Novarg then initiates its propagation routine. The worm scans the disk
for email addresses (files with extensions such as htm, wab, txt and
others) and, unbeknownst to the user, sends infected emails to these
addresses. In addition, Novarg checks whether or not the infected
machine is connected to the KaZaA network: if a connection is open, the
worm copies itself into the public folder for file exchange.

Novarg carries a very dangerous payload. Firstly, the worm installs a
proxy server on the infected computer. Malefactors can then use this
module in spamming or in mass-mailing new versions of the malicious

Secondly, Novarg installs a backdoor (a utility for unauthorized remote
control) thus allowing the virus writer to control the infected machine.
The backdoor makes it possible to steal, change or delete data, install
third-party programs and so forth.

Thirdly, Novarg contains an inbuilt module for organizing a DoS attack
on [Link mogu videti samo ulogovani korisnici] This module will be activated between 1st February and
12th February 2004. During this period all infected machines will
query this site, which may cause it to crash.

"The danger of the integration of virus and spam technologies to create
united, dedicated networks for cyber-criminals is becoming a reality. We
have detected two malicious programs within the first two days of this
week that illustrate this trend", comments Eugene Kaspersky, Head of
Anti-virus Research at Kaspersky Labs, "This problem may well signal a
new era in computer virology in the near future, an era marked by even
more frequent and serious outbreaks".

Kaspersky Anti-Virus databases have already been updated with protection
against Novarg.

A detailed description of Novarg is available in the Kaspersky
Anti-Virus Encyclopedia

[Link mogu videti samo ulogovani korisnici]

Kaspersky Labs Corporate Communications

A za one koji su se ipak zarazili, CLRAV napravljen pre par sati u KL-u je postavljen i na download stranu [Link mogu videti samo ulogovani korisnici]

E da...izbegavajte poruke sa poznatih adresa (uglavnom sa yu domena), a sa blesavim subject-om i jos neobicnijim tekstom (neobicnim u smislu da je cudno da to pise onaj koji navodno salje), pogotovo ako imaju "zip" fajl u attachment-u!!!

Subject linija imas sledece karakteristike:

Mail Delivery System
Mail Transaction Failed
Server Report

Text poruke:
Mail Transaction Failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment

a attachment:
document, readme, doc, text, file, data, test, message, body

dok je ekstenzija na fajlu jedna od sledecih:
.pif, .scr, .exe, .cmd, .bat, .zip

Lepo ti opravdavaš svoje radno mesto u firmi. Smile

[Link mogu videti samo ulogovani korisnici]

a AxeZ mi pustio link
[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

Prijatelj ciji email imam samo u yahoo address book-u mi je danas javio da je dobio email sa moje yahoo adrese koji sadrzi ovaj virus. Inace u tom address book-u imam oko tridesetak ljudi i niko drugi mi nije javio da je primio slican email sa mog yahoo??? E sad, ja inace Outlook ne koristim, samo yahoo... a u poslednjih mesec dva nisam ni primala ni slala nikakve attachmente, niti sam skidala nesto sa neta u skorije vreme??? Takodje nisam ni dobila email sa navadenom sadrzinom.... ako sam ga i dobila verovtno sam ga obrisala ni ne otvarajuci ga, misleci da je neki spam.

Proverila sam moj poslednji Norton update je od 26.01.2004 i na listi virusa ima i Novarg, skenirala sam svoj kompjuter, i Norton nista nije pronasao. Projatelj kaze da je mozda virus ne na mom kompu nego na yahoo serveru????? Jer tako nesto moguce? Sad sam se tek istripovala.

Opusteno Kat... crv lazira e-mail adresu posiljaoca !!!
Tako da moze da se desi da ti se vrati jos nekoliko (desetina) mailova (kao meni) kao da si ti poslala crva.
Samo tako obavesti prijatelja.

Sto se tice crva na Yahoo serveru ... HMMM ... tesko.

*whew*.... hvala na informaciji Puky, sad mi je malo lakse Smile

Ovo je dosada najbrze, ako ne gresim - vec je stigla nova varijanta! Crying or Very sad

Kaspersky Labs, a leading information security software developer has
detected a new version of Mydoom (Novarg) - Mydoom.b

Kaspersky Labs has received reports of infections by this malicious
program. Our analysts believe that Mydoom.b is probably using machines
infected by the original Mydoom, which could mean as many as 600,000
units. These infected computers may have received a command to send out
copies of Mydoom.b. Therefore, the computer community may be facing a
much more serious outbreak than the one caused by Mydoom.a yesterday,
January 27.

The new version contains minimal technical innovations. Mydoom.b also
spreads via email and the KaZaA file-sharing network. The email contains
a different set of text strings in the body. The carrier file is about
28 KB in size and contains the text string: "sync-1.01; andy; I'm just
doing my job, nothing personal, sorry". Mydoom.b is scheduled to launch
a DoS attack between February 1 and February 12 2004 on two web sites:
[Link mogu videti samo ulogovani korisnici] and [Link mogu videti samo ulogovani korisnici]

Moreover, the worm modifies the operating system to prevent users from
reaching many anti-virus vendors' sites, security-related news sites and
various sections of the Microsoft site, as well as downloading data from
banner networks.

KasperskyRAnti-Virus databases have been updated with protection
against Mydoom.b.

A detailed description of Mydoom.b is available in the Kaspersky Virus
Encyclopedia (http://www.viruslist.com/eng/viruslist.html?id=850737)

