MIMAIL/MyDoom/Novarg Email Virus Continues; H.323 Problems in Firewalls

Published: 2004-01-27. Last Updated: 2004-01-27 23:48:29 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
MIMAIL/MyDoom/Novarg Email Virus Continues

Beginning about 5 pm EST (2200 UTC) yesterday we began receiving a flood of email containing a malicious attachment. To visually see what has been arriving at our servers, we have two graphs available. We are showing emails per 10 minutes at
http://isc.sans.org/images/virus.png and emails per hour at
http://isc.sans.org/images/virus2.png . Notice the drop-off overnight followed by the rapid increase this morning as people came to work. There was a spike for the east coast workers and another increase as the west coast came to work. The time across the bottom is EST. Today's increase started at about 8 am Central European time, again corresponding roughly to the time workers began opening their mail. This afternoon there has been a gradual decrease as the infected computers are brought under control. While no new variants have been detected yet, it would not be unexpected to see modified versions appear in the next few days.



A very detailed writeup of the events surrounding this malware including analysis and discussions by the Trojan Horses Research Mailing List is available online at http://www.math.org.il/newworm-digest1.txt .



We considered moving the INFOCON to yellow but once we saw that the AV companies had updated their signatures within an hour or so of the outbreak we decided to leave it at green. If the situation changes we'll re-evaluate the INFOCON and make a change as needed.



All of the major antivirus software companies have updated their signature files overnight. As usual, this piece of malware goes by different names:



W32/Mydoom@MM

http://vil.nai.com/vil/content/v_100983.htm




Novarg (F-Secure)

http://www.f-secure.com/v-descs/novarg.shtml




W32.Novarg.A@mm (Symantec)

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html




Win32/Shimg (Computer Associates)

http://www3.ca.com/virusinfo/virus.aspx?ID=38102




WORM_MIMAIL.R (Trend)

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R



Analysis shows that a denial of service attack directed at www.sco.com will begin on February 1, 2004 from all infected computers. This DoS will be the result of the infected machines making multiple requests of SCO's main web page. It is also scheduled to stop spreading on February 12, 2004. SCO has offered a reward for information leading to the arrest of the malware author:
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89470,00.html




Many email systems are clogged with inbound infected email as well as numerous "helpful" email messages from antivirus software on servers that send error messages back to the apparent sender of the malware. This particular piece of malware forges the return address, so we ask that email administrators disable the auto-reply feature for the next day or two in order to cut back on the amount of unnecessary email traffic generated by this event.


H.323 Problems in Firewalls

The University of Oulo in Finland recently released their findings
( http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html )
concerning multiple vulnerabilities in the H.323 protocol. This protocol is primarily used for video conferencing and Voice Over IP (VOIP) applications. It was reported that Check Point FireWall-1 and VPN-1 products are vulnerable to the H.323 security tests recently conducted by NISCC ( http://www.uniras.gov.uk/vuls/2004/006489/h323.htm ) based on the University of Oulu Security Programming Group (OUSPG) test suite. Check Point did not provide any details regarding the specific impact on the products. The report indicates that VPN-1 parses H.323 messages by default but FireWall-1 does not. More details are available at:

http://www.checkpoint.com/techsupport/alerts/h323.html
http://www.securitytracker.com/alerts/2004/Jan/1008846.html


tcp/1387

We received a request from a user wanting to know if others are seeing an increase in activity aimed at tcp/1387. Our database shows an increase late yesterday over what could be considered "normal" for the past few days so perhaps there is something worth investigating. If you are seeing increased traffic on that port and can do a full packet capture please forward it to us for analysis. Thanks!




Marcus H. Sachs

The SANS Institute



Keywords:
0 comment(s)

Comments


Diary Archives