new worm KEYSTROKE LOGGER
Tricky 'MyDoom' e-mail worm spreading quickly
Worm launches attack on site for Unix-owner SCO Group it has a keystroke logger! |
Definitely a fast spreader.
Here's Symantecs description of the worm: http://securityresponse.symantec.com...varg.a@mm.html Not a Linux-Security issue; Moved to General |
Wow! I went to work today, and when I came back, I had blocked 6 of these, and had reports in my mail! I'm glad I installed that virus scanner in my mail server now!
Ian |
Wow, I feel like getting myself a .edu email address. ;)
|
They stole the keystroke logging code from the FBI's Magic Lantern. Norton and McAfee said they wouldn't alert customers to the presence of this trojan, so that was the only way to get them to do their jobs. :o
http://www.sophos.com/virusinfo/arti...iclantern.html http://abcnews.go.com/sections/scite...dge011221.html http://www.techtv.com/cybercrime/pri...386018,00.html http://cc.uoregon.edu/cnews/winter20...iclantern.html http://msnbc.com/news/660096.asp http://www.worldnetdaily.com/news/ar...TICLE_ID=25471 |
Quote:
|
MyDoom originated in Russia!
Hehe, another Windows virus...
But why does everybody blame it on the Linux community? MessageLabs says it originated in Russia where nobody would care about a US lawsuit. www.groklaw.com |
contemplating getting it on purpose...
|
Uh, williamwbishop, you might not want to do that. It takes over your internet connection by using all its bandwith.
|
It's for a good cause, and I can always clean it tomorrow....
|
Heck, I want a more friendly app. Ie. I could start it before I go to school and stop it when I need to use the net.
|
You should not ever use wget to do anything like that.
|
Quote:
Quote:
|
Quote:
|
u think these worms would get smarts, a smart worm would srat and attack in like only hours after it was relaesed, long b4 anyone could alert the worl of a new worm, thus acutaly doing somthing that is meaningful, like dos attack sco and ms? (not realy meaningful, but it is to the virus wirters who are no doupt just out to hurt them)
|
Quote:
There's one thing I feel like shouting: WINE WINE WINE! Oh send me the executable. |
Yes, it won't run under linux, but I also run windows....and aix, and solaris, and windows ce....you get the picture. I can dedicate a box to a good cause for a few days...
|
Quote:
in a Linux box anyway. Read the details in my post about 5 back, and post back when you understand why... Quote:
|
It's the purpose of the worm that is appealing. Getting rid of it is no problem..
|
Quote:
|
Why doesn't someone post the code so we can see what it's doing? Is it illegal to allow a virus to knowingly run on your computer? I think it might be, at least in the U.S.
I think it's pretty damn funny that there are people actually asking for a worm! I can understand your thinking but I wouldn't bother to contribute to something that affects normal people most of all. I had to clean four computers just yesterday of it, before I realized that I wouldn't mind reading through it some... What's the status of the SCO Group and this lawsuit? Am I mistaken in thinking that I read that M$ is the second largest shareholder? Can anyone imagine what would happen if (when) M$ gets the legal rights to a majority of UNIX platforms?? |
I think I'll just use Mandrake until they get rid of the worm. :)
|
Well, if mydoom has been developed to provide DoS against the SCO corp., I guess SCO website would be hosted on a Unix server....and since someone just said that this virus also includes a key logger..I think it may affect linux systems too...
in fact, i posted a thread on linux - software forum as my downloads were freezing after some time...I was trying to download skins from winamp.com and the latest version of xmms from xmms.org...and I tried at least 20 - 25 times...The downloads suddenly freezed and immediately after that, even clicking the download link didnt have any effect..I tried different browsers, but nothing seemed to help.... And now today, the downloads have gone through well....I dont know what caused downloads to freeze...but yes, I had opened the mydoom virus attachment file from my RedHat box.....thinking that it wouldnt affect linux... I would like to know the experiences of everyone here with their linux system's performance and internet surfing....Is it usual or did u notice something fishy.... Regards, amit |
I know people that saw a bit of slowness on Thursday. I have seen nothing at all unusual - but I have only been on with the Mac. Symantec says Linux is unaffected. Did you see the attachment creating files? It's "hiding" in Kazaa as Winamp5, RootkitXP, Officecrack and Nuke2004. (Hoping for downloads of course) It creates these : %System%\Shimgapi.dll. Shimgapi.dll and acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. (Back door settup) Also %Temp%\Message. This file contains random letters and is displayed using Doz Notepad.
%System%\Taskmon.exe. I'm not sure how this would actually function on a Linux box... |
Quote:
|
quote:
-------------------------------------------------------------------------------- When W32.Novarg.A@mm is executed, it does the following: 1. Creates the following files: * %System%\Shimgapi.dll: Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files. * %Temp%\Message: This file contains random letters and is displayed using Notepad. * %System%\Taskmon.exe: it will do absolutely nothing, first of all, dlls can't operate in linux, %SYSTEM%, would have no value in linux, none of the paths would work (MS uses backslashes) and lastly there are no .exe files in linux. None of the mechanisms required to operate the virus are present. Hell, I doubt it could even damage WINE, so click away |
There you have it, natalinasmpf. Squall has it right, except for one thing - there are some exectuables in Linux, but still not what's necessary for this little kiddie's worm.
|
Quote:
%system% is a variable you can set in wineconfig. The paths could work because Wine recognises them. And .exe files can run under wine. So there. It just doesn't start at boot, WHICH IS A GOOD THING. |
A record is set at LQ
Quote:
Holy f***ing s***, someone actually agreed with me. Record Number 2- Holy f***ing s***, I think that I may actually now agree with natalinasmpf. I'm no expert in WINE, so I'm going to assume that you're right. |
I'm not en expert in WINE, but from my understanding a Windows virus shouldn't work under WINE. Because WINE is a re-write of the Windows API, the underlying code isn't going to be identical which causes some problems with Windows viruses. The only actual test I've see was someone testing out Sobig.F on WINE, which just caused it to crash, but didn't actually infect the WINE filesystem or do any of the mass-mailing nastiness. Though it is feasible for someone to write a virus which is "WINE-aware" and upon virus execution, it does a check (of Registry Keys or whatever) to see if the OS is truely Windows or if it's WINE, in which case it would run a modifed WINE-specific subroutine.
Another problem with that theory. Just because WINE is supposed to be similar to Windows, doesn't mean that programs running under WINE can somehow throw all the standard linux permissions out the window and do whatever they like. User level permissions shouldn't allow it to do things like use raw sockets or modify Linux system files. Again, I'm not a WINE expert, but I believe at the very worst it may corrupt the WINE install, but I don't think it could seriously damage the Linux OS. From the tests I've seen of malicious code run in WINE, that seems to be the case as well. |
If Wine has a Mac - like permissions structure, this is my guess - the moment the worm tries to create a file, be it Shimgapi.dll or whatever, the execution should cause the OS to see an instruction that only root or admin should be allowed to engage. At that moment, it should prompt the active user for the password to continue. If an admin is on-line... well... and we all know Linux root Never should be...
|
I think the whole point of running it under wine was to enable the ddos capability while maintaining control over your system. ;)
|
Anyone who has this virus - please send it to me! Something along the lines of virii@thymox.uklinux.net would be good. I love poking around in Windows virii, seeing what makes them tick, etc.
Please do not worry about me infecting further people - the only box that received email from that address is a Linux only box. Cheers. |
Quote:
Wish I'd seen this earlier. I had 2 copies of it this morning. If I see another i'll send it along! If you have anything else to request and I'm not in LQ witeshark@cybermax.net me! |
Re: A record is set at LQ
Quote:
The dll's and exe's that Wine uses have an extension added, and a file that doesn't have this extension won't run. Of course, the original discussion assumed that these worms would NOT affect a Linux distro as written. Which is still the truth. Look at these -> -rwxr-xr-x 1 root root 913806 Dec 14 21:29 notepad.exe.so* -rwxr-xr-x 1 root root 2502714 Dec 14 21:29 ntdll.dll.so* I guess if you had nothing better to do than to try and help these worms execute inside your Linux OS via Wine, CrossOver Office, or VMWare - well, maybe you could. But I say, just boot into Doze and destroy it the best way you can :} |
Quote:
Hardly, its just a "correction dll" for known problems, I think. Wine CAN STILL UNDERSTAND CALLS TO OTHER DLL's. The dll's and exe's that wine uses DOES NOT NEED AN EXTENSION added, the rest are object files to correct Windows only calls into Linux calls for certain situations.. |
Thymox: I found another copy and sent it in case you are here before seeing e-mail
|
All times are GMT -5. The time now is 08:29 PM. |