RE: [Full-Disclosure] W32.novarg.a - Highly distributed mass mailer

From: Logan5 (Logan5_at_Logan5.com)
Date: 01/27/04

  • Next message: Kane Lightowler: "RE: [Full-Disclosure] W32.novarg.a - Highly distributed mass mail er"
    To: <full-disclosure@lists.netsys.com>
    Date: Mon, 26 Jan 2004 20:17:44 -0600
    
    

    Is the programmer a Matrix fan? Found this decoding the .zip and .scr
    (sanitized for your protection):

    @1A1Ch:
    Sack_i..+D.k=.smith[C.+_.m.B...h...&joe?neo/...

    Funny to see both Agent Smith and Neo on the same few bytes of code :)

    Nice to see the AV co.'s respond so fast.

    -

    -----Original Message-----
    From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
    Sent: Monday, January 26, 2004 6:39 PM
    To: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] W32.novarg.a - Highly distributed mass
    mailer

    Michael Skaff <michael@coolsign.com> wrote:

    > Apologies if this is off topic, but I thought it merited posting,
    > given the distribution.
    >
    > Norton has also tagged the same worm referenced in the previous
    posting from
    > McAfee, but they're calling it Novarg. No details yet. We've seen
    a
    > variety of file names and subject headers, although "Hi", "Hello" seem

    > to be the most popular so far. "Text" "File" and "Message" seem to be

    > popular file names. We are seeing ~25/hr @ the gateway, and rising.

    You will see a lot more -- this seems to have gone ballistic...

    BTW, NAV detecting it as "Novarg" and Trend as "Mimail.R" is just
    another case of multiple labs working on the same massive outbreak
    independently before realizing just how widespread it was (or at least
    had realistic potential of reaching). I have heard from analysts at
    Symantec that they will rename it Mydoor to be in keeping with the bulk
    of the other developers, and Trend is pretty good about renaming things
    in such situations, so I guess they will follow suit too.

    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Kane Lightowler: "RE: [Full-Disclosure] W32.novarg.a - Highly distributed mass mail er"

    Relevant Pages

    • Re: [Full-disclosure] List of Fuzzers
      ... int authenticate(char* username, char* password) { ... that fuzzing has its limitations (that can be fixed and applied like ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure- ...
      (Full-Disclosure)
    • Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member
      ... if the vpn provider had not shat themself, then it would be a non story. ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
      (Full-Disclosure)
    • Re: [Full-disclosure] List of Fuzzers
      ... valid to use someone else's fuzzing framework against one's own ... I see "Which fuzzer on this list will help me find the most ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure- ...
      (Full-Disclosure)
    • Re: [Full-disclosure] [OT] Obama said: "American people understand that not everybodys been foll
      ... **Steve Crawshaw, former B&B boss ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... Full-Disclosure - We believe in it. ...
      (Full-Disclosure)
    • Re: [Full-disclosure] List of Fuzzers
      ... valid to use someone else's fuzzing framework against one's own ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure- ...
      (Full-Disclosure)