new worm KEYSTROKE LOGGER

witeshark · 01-26-2004, 10:10 PM

Tricky 'MyDoom' e-mail worm spreading quickly
Worm launches attack on site for Unix-owner SCO Group
it has a keystroke logger!

Capt_Caveman · 01-26-2004, 10:37 PM

Definitely a fast spreader.

Here's Symantecs description of the worm:
http://securityresponse.symantec.com...varg.a@mm.html

Not a Linux-Security issue; Moved to General

green_dragon37 · 01-26-2004, 10:53 PM

Wow! I went to work today, and when I came back, I had blocked 6 of these, and had reports in my mail! I'm glad I installed that virus scanner in my mail server now!

Ian

natalinasmpf · 01-27-2004, 07:48 AM

Wow, I feel like getting myself a .edu email address.

Crito · 01-27-2004, 05:29 PM

They stole the keystroke logging code from the FBI's Magic Lantern. Norton and McAfee said they wouldn't alert customers to the presence of this trojan, so that was the only way to get them to do their jobs.

http://www.sophos.com/virusinfo/arti...iclantern.html
http://abcnews.go.com/sections/scite...dge011221.html
http://www.techtv.com/cybercrime/pri...386018,00.html
http://cc.uoregon.edu/cnews/winter20...iclantern.html
http://msnbc.com/news/660096.asp
http://www.worldnetdaily.com/news/ar...TICLE_ID=25471

Squall · 01-27-2004, 05:47 PM

Quote:

Originally posted by natalinasmpf
Wow, I feel like getting myself a .edu email address.

yeah, i guess the virus writer had SOME heart. I don't know why people open these emails anyway, they're just asking for a virus.

apache363 · 01-28-2004, 09:59 AM

Hehe, another Windows virus...
But why does everybody blame it on the Linux community?
MessageLabs says it originated in Russia
where nobody would care about a US lawsuit.
www.groklaw.com

williamwbishop · 01-28-2004, 10:43 AM

contemplating getting it on purpose...

apache363 · 01-28-2004, 11:48 AM

Uh, williamwbishop, you might not want to do that. It takes over your internet connection by using all its bandwith.

williamwbishop · 01-28-2004, 12:11 PM

It's for a good cause, and I can always clean it tomorrow....

natalinasmpf · 01-28-2004, 05:14 PM

Heck, I want a more friendly app. Ie. I could start it before I go to school and stop it when I need to use the net.

Capt_Caveman · 01-28-2004, 08:06 PM

You should not ever use wget to do anything like that.

Bruce Hill · 01-28-2004, 08:59 PM

Quote:

Originally posted by williamwbishop
contemplating getting it on purpose...

I opened it with Ark in a /tmp subdirectory when the first document.zip made it to my Inbox. Then looked at the document.exe file. If I am correct, it can't do anything to a Linux box because this is what it does...

Quote:

When W32.Novarg.A@mm is executed, it does the following:

1. Creates the following files:
* %System%\Shimgapi.dll: Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
* %Temp%\Message: This file contains random letters and is displayed using Notepad.
* %System%\Taskmon.exe:

I'm no Linux expert, but if I'm correct, this particular worm can't do anything to a Linux system. Is this correct?

witeshark · 01-28-2004, 09:10 PM

Quote:

Originally posted by Capt_Caveman
Definitely a fast spreader.

Here's Symantecs description of the worm:
http://securityresponse.symantec.com...varg.a@mm.html

Not a Linux-Security issue; Moved to General

apparently not any threat to Linux/Mac/Unix. even win3.1 seems unthreatened

SciYro · 01-29-2004, 12:14 AM

u think these worms would get smarts, a smart worm would srat and attack in like only hours after it was relaesed, long b4 anyone could alert the worl of a new worm, thus acutaly doing somthing that is meaningful, like dos attack sco and ms? (not realy meaningful, but it is to the virus wirters who are no doupt just out to hurt them)