Re: W32/Novarg.A virus

From: Colin McKinnon (colin.thisisnotmysurname_at_ntlworld.deletemeunlessURaBot.com)
Date: 01/30/04

• Next message: Ben Measures: "Re: RH9 min password length"
• Previous message: Chris McHugh: "Re: Firewall Blocking More Websites"
• In reply to: Mark A Framness: "W32/Novarg.A virus"
• Next in thread: John Doe: "Re: W32/Novarg.A virus"
• Reply: John Doe: "Re: W32/Novarg.A virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 30 Jan 2004 00:46:36 +0000

Mark A Framness spilled the following:

> Greetings,
>
> I am getting an occasional mailing with the W32/Novarg.A virus. The
> messages come as bounced e-mail messages. Looking at the headers they
> appear to be genuine bounces. These messages must send themselves out with
> e-mail addresses found on infected systems, correct? Or could it be my
> slack box is cracked?
>

This virus, like many others forges it's origin. So if user A has an
infected machine which sends a message to user B with your address in the
>From / Reply-to headers and user B has virus checking, you'll get the
bounce. This is particularly painful if you collect mail for a whole domain
rather than just named users at a domain (IIRC Novarg 'invents' random
names to send mail to / from but uses real domains).

In this day and age, most sites using that operating system which is
somewhat prone to viruses run perimeter defences - unfortunately the
defence systems (nearly) all try to be helpful by telling you about this
but all use different formats for their messages, and, by bothering to
respond nearly double the background noise on Email. Some even send you the
virus just in case you weren't already infected!

It rather poses the questions - if the anti-virus package can recognise a
prticular virus which is known to forge the origin of Emails, WTF do they
respond to it?

C.

---

• Next message: Ben Measures: "Re: RH9 min password length"
• Previous message: Chris McHugh: "Re: Firewall Blocking More Websites"
• In reply to: Mark A Framness: "W32/Novarg.A virus"
• Next in thread: John Doe: "Re: W32/Novarg.A virus"
• Reply: John Doe: "Re: W32/Novarg.A virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: MS security updates or... ... > the virus world, and what the latest scam is. ... The worm that attacked you in ... dozens of warnings from everywhere- how devious! ... good pay besides- which bounces, and the position goes to the next man. ... (alt.computer.security) Re: MS security updates or... ... >> the virus world, and what the latest scam is. ... dozens of warnings from everywhere- how devious! ... > good pay besides- which bounces, and the position goes to the next man. ... > ..Life-time membership ... (alt.computer.security) Re: [Full-Disclosure] The incredible intolerance of Knud ... > I strongly object to people using terms of sexual orientation as a put-down. ... I think Knud was just being ironic, and besides we do that a lot in Denmark. ... > this year as a virus as well. ... I still get bounces on several advisories where AV vendors labelled my example ... (Full-Disclosure) RE: [Full-Disclosure] PLEASE QUIT YACKING ABOUT M$ ... btw)) virus is just kicking out stuff to heck and back. ... --> returned-check-fee ($15 and fair if you are a fool who bounces checks) ... --> those crazy skater kids get with their laptops, ... Can somebody please send me an ORKUT invitation?!?! ... (Full-Disclosure) W32/Novarg.A virus ... I am getting an occasional mailing with the W32/Novarg.A virus. ... come as bounced e-mail messages. ... Looking at the headers they appear to be ... genuine bounces. ... (comp.os.linux.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2004-01