Disclaimer: This news item was originally posted on Monday, Jan 26, 2004. Its content may no longer be timely or accurate.

New Virus: W32.Novarg.A@mm and/or MyDoom Virus detected - 1/26/2004

Posted: 11:29:48, Monday, Jan 26, 2004   Expiration: 18:00:00, Friday, Jan 30, 2004  

There is new virus making the rounds. The "W32.Novarg.A@mm" also known as "mydoom" has infected many computers. According to Norton, risk assessment is high - several of our peer institutions are also dealing with this. For removal tool and directions see the following.

There is new virus making the rounds. The "W32.Novarg.A@mm" also known as "mydoom" has infected many computers. According to Norton, risk assessment is high - several of our peer institutions are also dealing with this. For removal tool and directions see the following:

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html

MyDoom status as of 1/28

DoIT has confirmed only one message, containing the MyDoom virus, which came through WiscMail at 8:30AM on Monday 1/26, before any of the virus filters were available.

The most common problem at the moment is that WiscMail customers are seeing already cleaned messages arriving in their mail boxes and are concerned they are still infected when they are not. The subject lines in the messages these users are receiving are:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi

By design, WiscMail anti-virus engine replaces the infected named doc.bat, document.zip, message.zip, readme.zip, text.pif, hello.cmd, body.scr, test.htm.pif, data.txt.exe, file.scr, attachment with WiscMail's .txt attachment that says:

-----------
This is an automated message please do not reply.
The following virus was found Found the W32/Mydoom@MM virus !!!.
The original document has been removed from this message.
The document was removed because
Possible Malicious Email Content Detected

For more information, you can view the DoIT Help Desk web page at:

http://helpdesk.doit.wisc.edu/page.php?id=281

-----------
Log analysis shows we have found Madison campus users who are infected and mailing infected attachments. EVERYONE needs to be reminded that the desktop is their primary line of defense. They need to update their local copy of antivirus software.

As always, the best advice is to not open files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash. Be careful about opening suspicious email attachments from people you know, as well. It appears this latest virus uses address books to forward infected messages.

For details on what to do for any viruses or other vulnerabilities, see:

http://www.doit.wisc.edu/security/tips.asp

-- DoIT Help Desk

Created: 11:29:48, Monday, Jan 26, 2004 (by Weizhong W.)
Updated: 02:31:27, Monday, Feb 9, 2004 (by Weizhong W.)