New w32.novarg.@worm

[wms]

Guys,

A New Worm was discovered today called "W32. Novarg".

It shows up in your e-mail box with a"spoofed" e-mail from your Ip, mine was spoofed with a name of a friend on the same Ip. So it looked legit. And it showed as a txt file, safe right. NOT

It contains a file called "Text.txt" or similar.

If you don't have todays (1/26/04) latest virus definitions it won't show up as a virus, then when you open it , it writes to the REG and installs some .dll files to your system.

It is a DOD and mass e-mail worm.

It's a real pain to remove, reg edits and rescans. Even then some of the files can't be removed, just quarantined.


So be careful and download the latest definitions from your virus provider.

Symantec has removal info if you need to remove it.

[Ken_Shea]

Thanks Ward, I just did that two days ago and sure enough there was a rather large "New Virus Definitions" tonight.


I don't play Russian roulette, so I never ever open attachments that I am not previously made aware of or included in a reply that I am aware of.

[wms]

Good policy Ken.

I always scan even then as to try and make sure.

I just go caught by this one.(dark)

[bcromwell]

Since I just got done doing 4 hours of firewall changes for my company, so I will relay a bit of information,

The payload looks to be a Denial of services attach against www.sco.com, so if you internet access becomes very very slow you might want to virus scan your systems.

It also installs a back door trojan that uses port 3127, so if you have a firewall that can block in and out bound traffic I suggest you block TCP 3127

[wms]

Thanks Bcromwell,


Symantec now says it is using ports Tcp3127 thru Tcp3198.

[CNCadmin]

Just got 20 emails with the virus.

[HomeCNC]

SCO is messing with the free open source of LINUX and pissed off some programmer people.