2 specific questions on Novarg

[Alexander Fischer]

Hello,

can someone tell me, if actually opening an infected ZIP-file can
already infect my computer? As far as my reason goes, opening the
zip-file should be save - only opening any contained executable would
trigger the virus. Right?

My second question: does Novarg forge Mail-From-Addresses? I ask
because I get a lot of bounces indicating that I sent out (infected)
e-mails - however I'm pretty sure this isn't the case and therefore
believe that the virus just took my address and put it in the from
line...


Thanks,
Alex

 

[Camford]

I believe the zip file is the actual virus. Although opening a zip file of
which contains the virus should be safe. However, in the case of
mydoom/novarg, the zip file is the actual virus. Therefore, opening the zip
file will infect your computer.

 

[D McAuliffe]

Hello,

can someone tell me, if actually opening an infected ZIP-file can
already infect my computer? As far as my reason goes, opening the
zip-file should be save - only opening any contained executable would
trigger the virus. Right?

I received two from apparantly the same user. I right clicked on the file
(document.zip) to scan with an un-updated NAV (for this virus only) to see
if it would catch it, it didn't. When the scan was done, three Winzip
windows opened (I did not call for the program) to show the file
document.exe. I closed all windows, and ran a find for the files that this
thing is suppose to drop, as well as its registry entries, there were none.
There was also no outgoing taffic or ports opened. Therefore I've concluded
I'm not infected.

My second question: does Novarg forge Mail-From-Addresses? I ask
because I get a lot of bounces indicating that I sent out (infected)
e-mails - however I'm pretty sure this isn't the case and therefore
believe that the virus just took my address and put it in the from
line...


Thanks,
Alex

Yes, see http://www.symantec.com/avcenter/venc/data/[email protected]
--
~~~~~~~~~~~~~~~~~
Dave McAuliffe
Central Mass. USA
To E-mail -
Replace: mailinator.com
With: email.com
~~~~~~~~~~~~~~~~~

 

[GSV Three Minds in a Can]

I received two from apparantly the same user. I right clicked on the file
(document.zip) to scan with an un-updated NAV (for this virus only) to see
if it would catch it, it didn't. When the scan was done, three Winzip
windows opened (I did not call for the program) to show the file
document.exe. I closed all windows, and ran a find for the files that this
thing is suppose to drop, as well as its registry entries, there were none.
There was also no outgoing taffic or ports opened. Therefore I've concluded
I'm not infected.

I think it depends =how= you open the zip file. Using winzip 'classic'
you'd just get a list of the contents, from which you can decide what to
do (including installing or running items). With the 'wizard' interface,
it might leap into action and actually unzip/execute. If you use the
WinXP .zip handler, 'God only knows'. This assumes it is a real .zip
file (which it appears to be) rather than "abc.zip .scr"

Safest, as ever, is to just delete unopened (unless you have some good
reason for needing to poke around).

 

[null]

I believe the zip file is the actual virus. Although opening a zip file of
which contains the virus should be safe. However, in the case of
mydoom/novarg, the zip file is the actual virus. Therefore, opening the zip
file will infect your computer.

Then the antivirus scanners are all dead meat since they have to
"open" (unzip) the file in order to scan the archive contents

The infested .ZIP files can be unzipped without auto-infesting the PC.
But don't mess with them unless you know what you're doing.


Art
http://www.epix.net/~artnpeg

 

[John Coutts]

Hello,

can someone tell me, if actually opening an infected ZIP-file can
already infect my computer? As far as my reason goes, opening the
zip-file should be save - only opening any contained executable would
trigger the virus. Right?

**************** SEPARATER ****************
Just because a file has an extension .zip does not mean that it is a ZIP file.
In the examples that I have, the files are actual executables. This is the
danger in using the unzip feature built into XP (it does not differentiate
between clicking to open or clicking to expand).
*******************************************

My second question: does Novarg forge Mail-From-Addresses? I ask
because I get a lot of bounces indicating that I sent out (infected)
e-mails - however I'm pretty sure this isn't the case and therefore
believe that the virus just took my address and put it in the from
line...

**************** SEPARATER ****************
The adressee and addressor both come from the same place (the infected
machine). I cannot verify it yet, but there is some evidence that the receiving
server name or IP address is also taken from the infected machine.
*******************************************

 

[null]

Just because a file has an extension .zip does not mean that it is a ZIP file.
In the examples that I have, the files are actual executables.

The six infested samples I have with .ZIP file extensions are
definitely ZIP archives contaning the actual executeable files with
extensions such as .PIF and .SCR. ZIP archives are not executeable
files.

This is the
danger in using the unzip feature built into XP (it does not differentiate
between clicking to open or clicking to expand).

You mean it will auto-run an executeable in a ZIP archive? What if
there are multiple executeable files archived? Which one runs?


Art
http://www.epix.net/~artnpeg

 

[John Coutts]

My apologies. The file is an actual ZIP file. Inside is a PIF file of virtually
the same size. PKUNZIP said it wasn't a ZIP file because it couldn't handle the
long file name. Periscope bombs out when trying to analyze it, so I can't tell
you anything else about it.
**************** SEPARATER ****************

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the wonderful person

**************** SEPARATER ****************
The adressee and addressor both come from the same place (the infected
machine).

Apparently (judging from the ones I've seen) the =domain= of the
addresses is harvested, but the 'user name' part is invented out of thin
air.
(So they wind up being to/from <someone>@<mydomain>, but <someone> is a
name (mike, sam, jane, whatever) which has =never= been used on this
domain as an email address.) Weird.

 

[Gabriele Neukam]

On that special day, GSV Three Minds in a Can, ([email protected])
said...

Apparently (judging from the ones I've seen) the =domain= of the
addresses is harvested, but the 'user name' part is invented out of thin
air.
(So they wind up being to/from <someone>@<mydomain>, but <someone> is a
name (mike, sam, jane, whatever) which has =never= been used on this
domain as an email address.) Weird.

If you un-UPX the worm, you will find a lot of common personal names as
strings in the worm, obviously designed to create more recipient
addresses, some of which might be valid.


Gabriele Neukam

(e-mail address removed)

 

[FromTheRafters]

Hello,

can someone tell me, if actually opening an infected ZIP-file can
already infect my computer?

I wouldn't assume that it is safe on Windows. Not that I'm trying to
slam Microsoft, but they have established a reputation of making
formerly safe actions very unsafe. I don't know a lot about exploit
code, but I imagine it is possible for Microsoft to have screwed this
up too. While it is relatively safe to open HTML files from within
IE or OE (with appropriate security settings) it has been shown
that zipped HTML files - when unzipped - end up outside of the
zone which has those safer settings. It wouldn't surprise me much
if Windows Explorer's (view as web page, or active desktop)
could be used to install malware. I suppose it might even be
possible to cause the download of a media player skin exploit if
a person were crafty enough. I'm not saying that I know of any
exploit in existence that makes *real* zip files dangerous to unzip,
only that Microsoft makes it very difficult to say for sure that any
previously safe action is completely safe.

 

[Alexander Fischer]

Hi,

Yes, see http://www.symantec.com/avcenter/venc/data/[email protected]

Thanks for all the replies!
Alex

 

[Dave Blake]

The adressee and addressor both come from the same place (the infected
machine). I cannot verify it yet, but there is some evidence that the receiving
server name or IP address is also taken from the infected machine.
*******************************************

Can Novarg/Mydoom forge the bottom received line IP address??

I am getting both infected emails and bounces to emails I have not
sent (my pc not infected!). As described the From addresses is forged
and the To address has a (e-mail address removed) format. However, the
headers all show the same IP address [12.8.47.178] as the original
sender.

This is a privately owned IP, and the owner insists they are not the
source of the email because I am not in their adddress books and there
is nothing in their mailserver logs. They say it MUST be forged. Could
it be? Is there any way to tell? Or are they infected but in denial.

Anyone got any evidence? I can provide example headers if it will
help.

Dave

 

[Gabriele Neukam]

On that special day, Dave Blake, ([email protected]) said...

Can Novarg/Mydoom forge the bottom received line IP address??

It can't, but it may be coming in disguised as a *fake* bounce.

However, the
headers all show the same IP address [12.8.47.178] as the original
sender.

This is a privately owned IP, and the owner insists they are not the
source of the email because I am not in their adddress books and there
is nothing in their mailserver logs. They say it MUST be forged.

Sorry, but if it is coming from that IP number, it MUST be this machine.
Of course, MyDoom doesn't use Outlook (Express) for sending, but its own
SMTP "engine", which means Outlook won't even notice that something was
sent out, left alone keep a copy in the Sent folder.

Tell them that

- MyDoom can *guess* addresses (by putting popular first names into the
localpart)
- MyDoom reads addresses from Temporary Internet Files (ie home pages
with mailto entries) too, as well as other sources
- MyDoom doesn't leave a trace in the Outlook (Express) folders because
it is running in a separate process and
- MyDoom of course IS running on said IP number, and that they should
definitely get the Stinger or fxMyDoom (from F-Secure) to get rid of it.


Gabriele Neukam

(e-mail address removed)

 

[Dave Blake]

Sorry, but if it is coming from that IP number, it MUST be this machine.
...

Yes you are right, that IP address was the source. Nothing to do with
an infected PC though, being in an address book or MS software etc;
the server security had been compromised and someone was using it as a
relay to send out MyDoom/Novarg infected messages, forging my account
as the From-address. Nastey (

Took me a while to convince the owner that lack of evidence in the
mailserver logs did not mean his server was NOT sending the email.
Less arrogance and more knowledge on their part would have helped. But
MyDoom/Novarg via open relay is something to watchout for.

Dave

 

[Gabriele Neukam]

On that special day, Dave Blake, ([email protected]) said...

the server security had been compromised and someone was using it as a
relay to send out MyDoom/Novarg infected messages, forging my account
as the From-address. Nastey (

Ouch. That means the mails haven't been sent by an unwary owner of an
infected machine, but on purpose. Call the FBI. You know that there is a
500k $ reward on getting these virus spreaders?


Gabriele Neukam

(e-mail address removed)