lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c3e47b$c0f61950$21ef0118@CL1FF2>
From: Logan5 at Logan5.com (Logan5)
Subject: W32.novarg.a - Highly distributed mass mailer

Is the programmer a Matrix fan?  Found this decoding the .zip and .scr
(sanitized for your protection):

@1A1Ch:
Sack_i..+D.k=.smith[C.+_.m.B...h...&joe?neo/...

Funny to see both Agent Smith and Neo on the same few bytes of code :)

Nice to see the AV co.'s respond so fast.

-

-----Original Message-----
From: Nick FitzGerald [mailto:nick@...us-l.demon.co.uk] 
Sent: Monday, January 26, 2004 6:39 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] W32.novarg.a - Highly distributed mass
mailer


Michael Skaff <michael@...lsign.com> wrote:

> Apologies if this is off topic, but I thought it merited posting, 
> given the distribution.
> 
> Norton has also tagged the same worm referenced in the previous
posting from
> McAfee, but they're calling it Novarg.  No details yet.    We've seen
a
> variety of file names and subject headers, although "Hi", "Hello" seem

> to be the most popular so far.  "Text" "File" and "Message" seem to be

> popular file names.  We are seeing ~25/hr @ the gateway, and rising.

You will see a lot more -- this seems to have gone ballistic...

BTW, NAV detecting it as "Novarg" and Trend as "Mimail.R" is just 
another case of multiple labs working on the same massive outbreak 
independently before realizing just how widespread it was (or at least 
had realistic potential of reaching).  I have heard from analysts at 
Symantec that they will rename it Mydoor to be in keeping with the bulk 
of the other developers, and Trend is pretty good about renaming things 
in such situations, so I guess they will follow suit too.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ