[pchelpers] Re: Hi

• From: Tonia <ltonwannabe@xxxxxxxxxxx>
• To: pchelpers@xxxxxxxxxxxxx
• Date: Wed, 28 Jan 2004 15:06:13 +0000 (GMT)

Sounds like the one I got at work today except the subject line was Status. Of 
course being an attachment (a .zip file) I was pretty suspicious. I checked its 
properties and then went to source and found the same comments as what I just 
read inWoody's newsletter on this latest virus. Of course I deleted the email 
at work simply because it was an attachment. That is my policy always. 
 
Here's an extract from Woody's Watch. Hope you find the info useful.
 
MyDoom Boom Boom

By now you no doubt know about the latest worm to hit the streets. McAfee calls 
it MyDoom. So does  F-Secure. Symantec/Norton calls it Novarg. 

MyDoom's remarkable not because of its technical acumen. This sucker is in the 
process of clogging up all the email servers around the world because of its 
remarkable 'social engineering' - in other words it is packaged in a way to 
make unwary people open it. It has four characteristics that make it 
interesting / dangerous, depending on your point of view:

First, unlike the quasi-literate cretins who have been spawning worms lately, 
MyDoom's creator had the presence of mind to create a plausible story to go 
along with his dirty package. In this case, the worm arrives with a message 
that says (s p a c e s added to keep from triggering dumb spam filters):

    Mail t r a n s a c t i o n failed. Partial message is available.

    The message contains Unicode c h a r a c t e r s and has been sent as a 
binary attachment.

    The message cannot be represented in 7-bit ASCII e n c o d i n g and has 
been sent as a binary attachment.

At least at first glance, each of those messages seems reasonable enough to 
warrant looking at the attachment. In many cases, the attachment won't fool any 
of you because you have Windows set up to show you file name extensions (as 
we've recommended in Woody's Watch time and time again), and you know that 
double-clicking on a .bat, .cmd, .exe, .pif, or .scr file is just about as 
stupid as pointing a loaded gun at your foot. Besides, if you use Outlook 2002 
or 2003 with the default security settings, you won't see the file anyway. 

But in some cases the attached infected file is stored in a zip, and that's a 
horse of an entirely different color. Zips get through Outlook - they're 
innocuous; in and of themselves, zip files can't infect you. But the file(s) 
that sit inside the zip can be infected, and that's how MyDoom will creep (I 
use the term intentionally) into any system. That's MyDoom's second interesting 
twist: burying the infected file in a zip, so it'll get through many systems. 
Don't immediately panic, you have to open the attached zip file then extract 
and run the file enclosed within the zip.

The third twist is a real killer. MyDoom packs an infected file into a zip, but 
it gives the infected file a very long name. I got one infected message with an 
attached zip that contains a file called akhr.doc <followed by a LOT of spaces> 
.exe. There were so many spaces that when I opened the zip, Windows didn't even 
show me the .exe file name extension. (Of course, if you double-click on the 
akhr.doc<spaces>.exe file, it's run directly as is any other .exe file.) 
Another infected message arrived with a zipped copy of readme.txt <a LOT of 
spaces>.exe, another with body.txt <spaces>.scr, another with 
data.htm<spaces>.exe, and so on. I was quite astounded to see that Windows 
Explorer, when it opens a zip, doesn't always show the file name extension if 
the file name is long enough.

The fourth twist? The antivirus software sites are reporting that the worm not 
only spoofs return addresses - old-hat in this day and age - but it also spoofs 
Windows icons. I haven't received any messages with spoofed icons, but there 
are examples on-line of files called document.pif and document.scr that have 
the icon normally associated with text files. What's wrong with that? Folks who 
refuse to make Windows show file name extensions will be in for a very nasty 
surprise if they click on one of those "document" icons and get infected. 

You have to force Windows to show you file name extensions. Hiding file name 
extensions is one of the worst design mistakes Microsoft has ever made, and 
millions of their customers have paid the price for that decision.

Any way, MyDoom opens a back door on your system that would (at least in 
theory) allow a cretin to take over your machine, and/or download and execute 
any program. (I say "in theory" because at this point there must be ten million 
computers with open back MyDoom back doors; what are the odds somebody's going 
to pick yours?) Between February 1 and 12, infected systems automatically 
launch a distributed denial of service attack on www.sco.com , a company of 
scum-sucking... aw, don't get me started. MyDoom scans your files for email 
addresses and sends out copies of itself, spoofing the return address, and it 
puts itself in your KaZaA out box. MyDoom is supposed to stop spreading all by 
itself on February 12.



Tonia
 


---------------------------------
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80

Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at //www.freelists.org/cgi-bin/lsg2.cgi
List archives at //www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Good advice is like good paint- it only works if applied.

• References:
  • [pchelpers] Re: Hi
    • From: Scott McNay

Other related posts:

• » [pchelpers] Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi
• » [pchelpers] Re: Hi

1. Home
2. pchelpers
3. Archive
4. 01-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---