January 27 2004
W32/Novarg.A worm become the fastest spreading virus, with 1 in 12 emails now infected, its portion is greater than SoBig worm.
BSST(Broadweb Security Service Team) has already released the latest pattern-- NK Pattern 2.30 on Jan 27 2004, as soon as the virus has been discovered and reported on the Internet.  

We successfully stopped over 1.2 million attacks within the last 24 hours.

 

Overview
A new mass-mailing virus known as W32/Novarg.A, W32/Shimg, or W32/Mydoom was reported by CERT/CC on Jan, 27, 2004.

The virus could also open 'backdoors', allowing hackers to take control of infected computers.
 

Description
The W32/Novarg.A virus attempts to do the following:
Modify various Windows registry values so that the virus is run again upon reboot
Open a listening TCP port in the range of 3127-3198, suggesting remote access capabilities
Install a copy of itself in the C:\Program Files\KaZaA\My Shared Folder\ folder, which will be available for download by KaZaA users
The virus arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive.

 

Solutions

For BroadWeb NetKeeper users, please update your NK pattern to 2.30, which enables the ability to block W32/Novarg.A, W32/Shimg, and W32/Mydoom.

In addition, we also suggest network administrators to filter TCP port 3127-3198 on firewall or router to prevent further damage.

The detail of NK 2.30 pattern is as below:
** 2.30 release note ***
40 anomaly detection rules
1337 misuse detection rules
total:1377


modified 18 patterns:
1050353 Virus - W32/BugBear.B
1050426 Virus - W32/Swen
1050427 Virus - W32/Gibe.B
1050331 Virus - W32/Fizzer Worm
1050332 Virus - W32/Fizzer Worm.s1
1050333 Virus - W32/Fizzer Worm.s2
1050334 Virus - W32/Fizzer Worm.s3
1050575 Worm.Mimail.L - 1 
1050576 Worm.Mimail.L - 2 
1050577 Worm.Mimail.L - 3 
1050583 Worm.Mimail.M - 3
1050584 Worm.Mimail.M - 3
1050585 Worm.Mimail.M - 3
1050699 WEB-MISC cross site scripting (javascript:) attempt
4043309079 OVER_TCP_CONN
1050561 SMTP XEXCH50 overflow attempt
1050560 SMTP XEXCH50 overflow with evasion attempt
1050559 SMTP AUTH LOGON brute force attempt


added 13 virus patterns:
1050839 Worm.Bagle.A - 3
1050841 Worm.Mimail.P - 1
1050842 Worm.Mimail.P - 2
1050843 Worm.Mimail.P - 3
1050844 Trojan.Dropper.Mimail.P - 1
1050845 Trojan.Dropper.Mimail.P - 2
1050846 Trojan.Dropper.Mimail.P - 3
1050840 Worm.Novarg.A
1050850 Worm.Novarg.A.ZIP - 1
1050851 Worm.Novarg.A.ZIP - 2
1050852 Worm.Novarg.A.ZIP - 3
1050848 Worm.Novarg.A.ZIP_A
1050849 Worm.Novarg.A.ZIP_B

 

Contact Information

For further information about this advisory, NetKeeper and other Information Security services, please contact  : 

Johnson Lu / Abroad Sales Dept. Director