ALERT: Extra caution with attachments! Аўтар тэмы: CHENOUMI (X)
|
|---|
CHENOUMI (X) 
англійская → французская
+ ...
As you may know, the Mydoom worm has been rampaging the Internet since yesterday.
Emails carrying it often look like they may be coming from your ISP with subject lines such as "test" or "Server Report" or even "Delivery Status Notification (Failure)," and more. Some even come from addresses you know or domains you are familiar with and a "Hi" or "Hello" in the subject line.
The attachment is around 20K in size; total message, around 32K.
Opening it with a ... See more As you may know, the Mydoom worm has been rampaging the Internet since yesterday.
Emails carrying it often look like they may be coming from your ISP with subject lines such as "test" or "Server Report" or even "Delivery Status Notification (Failure)," and more. Some even come from addresses you know or domains you are familiar with and a "Hi" or "Hello" in the subject line.
The attachment is around 20K in size; total message, around 32K.
Opening it with a PC will weakens your machine's security and spreads the worm. Please read this interesting article from CNet about the spread and virulence of that latest threat at the following address:
http://news.com.com/2100-7349-5148347.html?part=dht&tag=ntop.
Surf safely!
Sandra:)
[Edited at 2004-01-28 07:45] ▲ Collapse
| | | | CHENOUMI (X)
англійская → французская
+ ...
ПАЧЫНАЛЬНІК ТЭМЫ | Additional info. | Jan 28, 2004 |
Some more info on this worm. It may contain the following:
· Message:
· (one of the following)
· Mail transaction failed. Partial message is available.
· The message contains Unicode characters and has been sent as a
binary attachment.
· The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
Subject:
(one of the following)
· test
�... See more Some more info on this worm. It may contain the following:
· Message:
· (one of the following)
· Mail transaction failed. Partial message is available.
· The message contains Unicode characters and has been sent as a
binary attachment.
· The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
Subject:
(one of the following)
· test
· hi
· hello
· Mail Delivery System
· Mail Transaction Failed
· Server Report
· Status
· Error
· Attachment:
· (one of the following)
· document
· readme
· doc
· text
· file
· data
· test
· message
· body
with .pif, .exe, .doc, .zip, .cmd, .scr, .bat. Example: document.zip ▲ Collapse
| | | | chance (X)
французская → кітайская
+ ...
| Be careful ! | Jan 28, 2004 |
Yesterday and Today, I got and am still getting dozens of this kind of mails. Fortunately, the anti-virus “Bit Defender” stopped them all, in indicating that they are infected by Win32.Novarg.A@mm.
| | | | CHENOUMI (X)
англійская → французская
+ ...
ПАЧЫНАЛЬНІК ТЭМЫ
chance wrote:
Yesterday and Today, I got and am still getting dozens of this kind of mails. Fortunately, the anti-virus “Bit Defender” stopped them all, in indicating that they are infected by Win32.Novarg.A@mm.
As a matter of principle, I never open any attachment from unknown senders...
Merci !:)
[Edited at 2004-01-28 11:02]
| | |
|
|
|
| Some more information about the mydoom worm | Jan 29, 2004 |
This is what I got from the magazine "About.com computer":
Url:http://65.54.168.250/cgi-bin/linkrd?_lang=DE&lah=d6f3bfae3eb942eb36f0ef9d80b53c7a&lat=1075333413&hm___action=http://slclk.about.com/?zi=1/Iqg
Worm spells MyDoom for SCO
And uses antivirus software to DoS users
Jan 28 2004
Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, a worm discovered on January 26th, 2004 has created a headache for users. The worm spoofs the From a... See more This is what I got from the magazine "About.com computer":
Url:http://65.54.168.250/cgi-bin/linkrd?_lang=DE&lah=d6f3bfae3eb942eb36f0ef9d80b53c7a&lat=1075333413&hm___action=http://slclk.about.com/?zi=1/Iqg
Worm spells MyDoom for SCO
And uses antivirus software to DoS users
Jan 28 2004
Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, a worm discovered on January 26th, 2004 has created a headache for users. The worm spoofs the From address, causing lots of innocent folks to be blamed for sending the worm. The fact is, the one person who is most likely not to be infected is the person's whose name appears in the From field of the email.
Worse, antivirus alerts are once again contributing to the mess. As was the case with Sobig.F, the vendor alerts have become part of the Mydoom problem.
The alerting problem begans when one of the infected emails is detected by the ISP or domain antivirus solution. The antivirus software, depending on the administrator's configuration, may then send an alert to the recipient and to the alleged sender. Of course, when the sender name is falsified, this means innocent folks are accused of sending a virus when in fact they are not the infected party. The confusion and chaos only gets worse. Many of these antivirus products will send the actual infected message to this alleged sender. Meaning they have now received the virus. If they open the email and the attachment to see what it is they supposedly sent, they then risk becoming infected. The volume of erroneous antivirus alerts is so high, it is quickly outpacing the number of actual Mydoom emails. In fact, some contend that the antivirus alerts are themselves a form of DoS (Denial of Service) attack.
Using antivirus software to DoS email users is not the only trick up Mydoom's sleeve. The worm also launches a Distributed Denial of Service (DDoS) attack against the well-known UNIX vendor, SCO.com. Every second from every infected computer worldwide, the Mydoom (a.k.a. Mimail.R) sends a GET request to the website in an apparent attempt to overload the webserver.
Much controversy has surrounded SCO after claiming last December that the Linux operating system was violating their intellectual property rights in UNIX. "There are a lot of kids out there who feel like SCO's attacking them", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok attack back."
The Mydoom worm spreads via email and the P2P network KaZaA. The email message composed by the worm has a spoofed Sender name and the Subject will be one of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
The text of the email will be either:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- or -
The message contains Unicode characters and has been sent as a binary attachment.
- or -
Mail transaction failed. Partial message is available.
The attachment will have either an EXE, CMD, PIF, or SCR extension, or it may be a ZIP archive, and will have one of the following filenames:
document
readme
doc
text
file
data
test
message
body
The attachment's icon may appear to be an icon normally associated with a TXT file, despite the fact that the attachment itself is an executable. To mask its intentions, when executed the worm first launches Notepad, filling the page with random text. Behind the scenes, the worm drops a copy of itself to the Windows System folder (usually C:\Windows\System) as taskmon.exe. This has caused some confusion among Windows 95/98/ME users, as there is a legitimate file named taskmon.exe, but that file resides in the C:\Windows folder, not C:\Windows\System.
Mydoom also searches the System Registry to determine if KaZaA is installed and, if so, what directory is being shared by the user. It then drops a copy of itself to the shared KaZaA folder using one of the following names and a BAT, PIF, SCR, or EXE extensions:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
This allows the worm to infect KaZaA users who download and execute one of the infected files, causing further spread on the P2P network. To spread via email, the Mimail.R (a.k.a. Mydoom) worm harvests addresses from WAB, ADB, TBB, DBX, ASP, PHP, SHT, HTM, and TXT files found on the infected system. The worm code also contains text strings which it can use to randomly create addresses if no other addresses are found.
The worm also creates the file shimgapi.dll in the Windows\System directory, registering this file as a child process of EXPLORER.EXE. Shimgapi.dll opens and listens on ports 3127 through 3198. This backdoor could be used to download further malicious code to the system.
Take care and good luck,
N.Raghavan ▲ Collapse
| | | | percebilla
Local time: 22:35
іспанская → англійская
+ ...
| ProZ e-mail? | Jan 29, 2004 |
thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I awai... See more thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I await with baited breath... ▲ Collapse
| | | | Monika Coulson
Local time: 14:35
Член (ад 2001)
англійская → албанская
+ ...
УДЗЕЛЬНІК ЛАКАЛІЗАЦЫІ САЙТА | It is spoofed most likely | Jan 29, 2004 |
Dear Percebilla,
the email heading was probably spoofed. You may have received a virus from a ProZ.com user who might be infected. The ProZ.com address (troy or [email protected]) was spoofed. This is very common for this virus and for other viruses in general. If you get an attachment in an email apparently from ProZ.com, don't open it. If you did not open the attachement, then I do not believe your computer is infected.
Good luck,
Monika
percebilla wrote:
thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I await with baited breath...
| | | | CHENOUMI (X)
англійская → французская
+ ...
ПАЧЫНАЛЬНІК ТЭМЫ | No, I have not. | Jan 29, 2004 |
percebilla wrote:
thank you so much for the helpful explanations about viruses! I am still new to this medium and am a bit worried about an e-mail I opened the other day . It did not come directly from infoproz but rather from one "troy" with infoproz as the heading. I didn´t really take in the message as I closed it again rapidly,realising my mistake. My son ,whose PC I use is very worried I may have let in a virus... ¿Please- has anyone else received such a message from someone called troy at infoproz? I await with baited breath...
No percebilla, I have not received such emails from ProZ.com. Please bear in mind that email notifications we receive from ProZ do not come with attachments.
Monika did a good job explaining the details. Hope you solve your problem soon.
¡Hasta pronto y le deseo la bienvenida entre nosotros!
| | |
|
|
|
CHENOUMI (X)
англійская → французская
+ ...
ПАЧЫНАЛЬНІК ТЭМЫ | Thank you, Narasimhan | Jan 29, 2004 |
for this wealth of info!
Narasimhan Raghavan wrote:
This is what I got from the magazine "About.com computer":
Url:http://65.54.168.250/cgi-bin/linkrd?_lang=DE&lah=d6f3bfae3eb942eb36f0ef9d80b53c7a&lat=1075333413&hm___action=http://slclk.about.com/?zi=1/Iqg
Worm spells MyDoom for SCO
And uses antivirus software to DoS users
Jan 28 2004
Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, a worm discovered on January 26th, 2004 has created a headache for users. The worm spoofs the From address, causing lots of innocent folks to be blamed for sending the worm. The fact is, the one person who is most likely not to be infected is the person's whose name appears in the From field of the email.
Worse, antivirus alerts are once again contributing to the mess. As was the case with Sobig.F, the vendor alerts have become part of the Mydoom problem.
The alerting problem begans when one of the infected emails is detected by the ISP or domain antivirus solution. The antivirus software, depending on the administrator's configuration, may then send an alert to the recipient and to the alleged sender. Of course, when the sender name is falsified, this means innocent folks are accused of sending a virus when in fact they are not the infected party. The confusion and chaos only gets worse. Many of these antivirus products will send the actual infected message to this alleged sender. Meaning they have now received the virus. If they open the email and the attachment to see what it is they supposedly sent, they then risk becoming infected. The volume of erroneous antivirus alerts is so high, it is quickly outpacing the number of actual Mydoom emails. In fact, some contend that the antivirus alerts are themselves a form of DoS (Denial of Service) attack.
Using antivirus software to DoS email users is not the only trick up Mydoom's sleeve. The worm also launches a Distributed Denial of Service (DDoS) attack against the well-known UNIX vendor, SCO.com. Every second from every infected computer worldwide, the Mydoom (a.k.a. Mimail.R) sends a GET request to the website in an apparent attempt to overload the webserver.
Much controversy has surrounded SCO after claiming last December that the Linux operating system was violating their intellectual property rights in UNIX. "There are a lot of kids out there who feel like SCO's attacking them", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok attack back."
The Mydoom worm spreads via email and the P2P network KaZaA. The email message composed by the worm has a spoofed Sender name and the Subject will be one of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
The text of the email will be either:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- or -
The message contains Unicode characters and has been sent as a binary attachment.
- or -
Mail transaction failed. Partial message is available.
The attachment will have either an EXE, CMD, PIF, or SCR extension, or it may be a ZIP archive, and will have one of the following filenames:
document
readme
doc
text
file
data
test
message
body
The attachment's icon may appear to be an icon normally associated with a TXT file, despite the fact that the attachment itself is an executable. To mask its intentions, when executed the worm first launches Notepad, filling the page with random text. Behind the scenes, the worm drops a copy of itself to the Windows System folder (usually C:WindowsSystem) as taskmon.exe. This has caused some confusion among Windows 95/98/ME users, as there is a legitimate file named taskmon.exe, but that file resides in the C:Windows folder, not C:WindowsSystem.
Mydoom also searches the System Registry to determine if KaZaA is installed and, if so, what directory is being shared by the user. It then drops a copy of itself to the shared KaZaA folder using one of the following names and a BAT, PIF, SCR, or EXE extensions:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
This allows the worm to infect KaZaA users who download and execute one of the infected files, causing further spread on the P2P network. To spread via email, the Mimail.R (a.k.a. Mydoom) worm harvests addresses from WAB, ADB, TBB, DBX, ASP, PHP, SHT, HTM, and TXT files found on the infected system. The worm code also contains text strings which it can use to randomly create addresses if no other addresses are found.
The worm also creates the file shimgapi.dll in the WindowsSystem directory, registering this file as a child process of EXPLORER.EXE. Shimgapi.dll opens and listens on ports 3127 through 3198. This backdoor could be used to download further malicious code to the system.
Take care and good luck,
N.Raghavan
| | | | percebilla
Local time: 22:35
іспанская → англійская
+ ...
| thank you a million | Jan 29, 2004 |
many many thanks for the rapid replies from Monika ,Chenoumi and Raghavan. I will show these replies to my son who will no doubt also be grateful for all the tips and explanations. In future I will refrain from opening such letters and keep my fingers crossed I´ ve not done anything irrepaparable. Thanks again. It´s consoling to find such helpful people on this site.
| | | | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » ALERT: Extra caution with attachments! | TM-Town | Manage your TMs and Terms ... and boost your translation business
Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.
More info » |
| | Wordfast Pro | Translation Memory Software for Any Platform
Exclusive discount for ProZ.com users!
Save over 13% when purchasing Wordfast Pro through ProZ.com. Wordfast is the world's #1 provider of platform-independent Translation Memory software. Consistently ranked the most user-friendly and highest value
Buy now! » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
