New virus infects PCs, whacks SCO

update A mass-mailing virus that quickly spread through the Internet on Monday planted a file that will instruct infected computers to attack the SCO Group's Web server with a flood of data on Feb. 1.

The virus--known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies--arrives in an in-box with one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"It's huge," said Vincent Gullotto, vice president of security software maker Network Associates' antivirus emergency response team. "We have it as a high-risk outbreak."

In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company has already shut down its e-mail gateway to stop the virus.

Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting Feb. 1, a virus researcher said on the condition of anonymity.

The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

 Latest computer virus runs rampant in a high-risk outbreak

The company's Web site was slow to load on Monday afternoon, a SCO spokesperson acknowledged, but the site was still accessible from the World Wide Web.

SCO's Web site was taken offline by denial-of-service attacks a handful of times in the last year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathizers for at least one of the attacks.

Antivirus companies were scrambling on Monday afternoon to learn more about the virus, which started spreading at about noon PST. The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP.

"A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.

		Special report 20-year plague From the first experiments to today's epidemics, computer viruses have come a long way.

The virus installs a Windows program that opens up a "back door" in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.

The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Early data indicated an epidemic several times the size of the Sobig.F virus, which caused widespread infections last summer, said Scott Petry, a vice president of engineering at e-mail service provider Postini.

		Reader resources MyDoom prevention and cure CNET Reviews

"At its current run rate, we will trap almost 8 million in a day," Petry said. The company quarantined only 1,400 copies of Sobig.F in its first day and 3.5 million copies of the virus during that epidemic's peak 24-hour period.

Mail systems that remove executable files from e-mails can stop the program from spreading.

[ww2vet54]

Win32.Nuvens.AK (NEW VIRUS)

Yesterday I was working on line and I decided to run a VScan. I use Zone 2006 Suite. So I take a break and come back after the scan. I see New! igh Risk! Can Not Be Cleaned! New! Unknown!...
(Win32.Nuvens.AK ) so it is identified. So I hop on line to search it out. "NOTHING" Anyware. No Mcafee or Norton Stinger, Nothing at PC Cillin (Trend), Nothing ay AVG or Bit Defender sites...
I figure maybee a false alarm, so I uninstall my zone and load up PC Cillin. Run the scan and Bingo. It also flags tiis creature. No, not a false alarm. I emiedatly back up my files and spens hours doing a manual search 1 kernal at a time, Nothing! The PC starts to slow. I try a re-boot in safe mode to do a restore. The restore will not complete. Luckily I have a back up hard drive so I switch out and I'm o.k. I thought I would provide this info so the pros could get at it. I,m wondering if this is the same one I soe bloged here?

[Jack Moran]

Marketing HiJack (Virus)

I recently went to a legitimate webpage only to find that it had been hacked, and a "virus" was dumped on me.

The webpage downloaded a bunch of crap to my system that causes my browser to redirect based on certain key words in the webpage I am loading (my guess). It also pops up a marketing message and suggestions that I go to a page called www.dxcdirect.com

I cannot find an antivirus software to counter this or that will even find the culprit routines!

Any suggestions?