Mass-mailing worm (W32.Novarg.A@mm) on the loose - 1-26-04!
This question was answered on January 27, 2004. Much of the information contained herein may have changed since posting.
W32.Novarg.A@mm is a level 4 mass-mailing worm that has hit the net like a ton of bricks It generally arrives as an attachment to e-mail with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip If you open an infected attachment, a backdoor program will be installed into the system that will allow a remote attacker to access and make use of the computer.
The email message has the following characteristics:
From: Usually a spoofed 'from' address, meaning that the address used is not the actual sender..
DO NOT BLAME THE SENDER, AS THEY ARE AN INNOCENT PARTY TO THE WORM!
Subject: (Generally one of the following)
Mail Delivery System
Mail Transaction Failed
Message: (Generally, one of the following)
Mail transaction failed Partial message is available
The message contains Unicode characters and has been sent as a binary attachment
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: (Generally one of the following)
This worm also copies itself to Kazaa download folders as one of the following files in an attempt to spread via the popular file sharing network:
with a file extension of:
This worm is designed to attack all current versions of Windows but does not affect DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x based systems
Get complete instructions on protection and removal from Symantec at:
<a href= "http://www.sarc.com/avcenter/venc/data/[email protected]"> http://firstname.lastname@example.org</a>
Note: The attachment may have two suffixes If so, the first suffix will be one of the following:
.htm .txt .doc
The worm will always end with one of the following suffixes:
.pif .scr .exe .cmd .bat .zip
About the author
Posted by Michal of Data Doctors on January 27, 2004