[Original post removed]

See ncrossland's post below which was in reply to my initial reports of receiving a spoof e-mail from someone pretending to be Sheffield Forum.

Sounds like a virus? What was the attachment's filename?

Sounds a bit like:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.torvel.b@mm.html

Doesn't sound like someone (with much intelligence) doing it maliciously - why would they send it to the forum owner, who would know better than anyone his password WASN'T about to expire!

Hmm, I've been contacted by someone who I share an office with and he has a similar problem. However, they both appear to be slightly more than just a trojan/virus - but I guess that could still be an option.

Thanks for the link Nick, I took a look at the extensions list and also in my virus vault, but I couldn't see any file names that match. I will let you know what I discover. I'm guessing that no-one else has received it?

If it's any consolation there's a spate of viruses and spam emails that are related that are doing the rounds..

At one point I had 3 of my domains being spammed from various diffferent sources making it difficult to trace and stop.

I have the feeling this is the start of something big. Tonight I've been getting 10s of e-mails coming in to my various different e-mail boxes (across different ISPs etc). A lot of them seem to have virus infected attachments which are luckily being zapped by a combination of SpamAssassin and my virus e-mail scanner.

You're describing what I've had in the past... not a lot you can do... it sounds like the forum/your email address has been pulled out of an address book or at random from the web then used as a spoofed sender...

I've had about 400 of these on various domains for 2 weeks up until about a week ago... It's a pain but until people practice safe PC and email policy it's a problem that won't go away... you'll probably see if stop in about a week if that.

I am getting this one a lot now:

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

w32.novarg.@mm.html

its gone from less than a hundred sites to over a thousand in under an hour.

And thats just those desktops using Symantec Anti Virus.

Hmm.. glad you mentioned this... I've just run a manual liveupdate on my Norton and there was an update waiting for me..

So much for autoupdate features... :rolleyes:

This can got infected but is ok now. Suspect hh.exe may be infected but NAV not flagging anything yet.

I also had autoupdate enabled. If they were able to able to send an emergency ping for running copies to update, they could nip these things in the bud.

of course its all a conspiracy of antivirus companies having viruses written on the sly to outwit their competitors products.

Score one for the sophos virus engineers

(ok ok its a worm not a virus).

Ack... 53 minutes ago this story went online:

Just when you thought it was safe to open email again, the first serious computer virus outbreak of 2004 is ripping through the Internet at record pace. The new worm is called both Mydoom and Novarg. It's a variant of a familiar foe, the Mimail worm that wreaked havoc in 2003. Already, Central Command's Emergency Virus Response Team confirms more than 3,800 infections of Worm/Mydoom less than 45 minutes after the worm's initial discovery. Network Associates reports 19,500 email messages bearing the virus from 3,400 unique Internet addresses. Emphasizing the seriousness of the virus, Symantec has rated Mydoom as a 4 out of 5, or "Severe" - more (http://www.techtv.com/news/securityalert/story/0,24195,3602245,00.html)

Update...
Having read a few "breaking" articles about this virus, the strange e-mail I received seems smarter than what this virus is capable of. For example, it not only appeared to be from Sheffield Forum, but it also includes the web-site address in a few places and seems well targeted towards a forum type of site - i.e. warning people their usernames were due to expire.

Hmm... all very confusing.

Originally posted by Geoff
Update...
Having read a few "breaking" articles about this virus, the strange e-mail I received seems smarter than what this virus is capable of. For example, it not only appeared to be from Sheffield Forum, but it also includes the web-site address in a few places and seems well targeted towards a forum type of site - i.e. warning people their usernames were due to expire.

Hmm... all very confusing.

boo geoff! I broke the story and then my post went walkabout.
:)

Well my first post was at 6.50pm so I could claim to be the first to break the news - albeit in a slightly confused way!

FYI, some posts were removed from this thread because Phan started his own topic rather than notice the one already online... tut tut... j/k :P

If you want credit then go ahead, lol :)

Night all and hope your e-mails aren't too bad in the morning, I know I've just spent the last 2 1/2 hours trying to stem the flow :(

It is the latest in the line of viruses that use 'social engineering' to get people to part with their personal and/or credit card details.

I seem to be getting several copies of this a day at the moment:

Dear PayPal member,

We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.

It doesn't seem beyond the realms of possibility that a virus writer could scan your inbox looking not only for e-mail addresses to spread to, but also looking for the distinctive notification e-mails sent by forums such as vBulletin. For example any containing the words:

* has just replied to a thread you have subscribed to entitled *

It could then pull out the URL of the forum (which you saw in the subject line), and send it to others (with a good chance that some of your contacts will frequent the same forums) and even send it to yourself (not saying you are infected Geoff!) knowing that it will appear to be from a trusted site.

Martin_s, reminds me of last summer when the SoBig virus was, er so big:

http://www.nickcrossland.co.uk/stuff/sobig.gif

Hmm.. glad you mentioned this... I've just run a manual liveupdate on my Norton and there was an update waiting for me..

So much for autoupdate features...
I think Norton only checks for updates when you first connect (mine just updated when I switched on today). Can you imagine the server load if everyone was pinged and prompted to download their update at the same time!

Originally posted by Geoff
Hmm, I've been contacted by someone who I share an office with and he has a similar problem. However, they both appear to be slightly more than just a trojan/virus - but I guess that could still be an option.

Thanks for the link Nick, I took a look at the extensions list and also in my virus vault, but I couldn't see any file names that match. I will let you know what I discover. I'm guessing that no-one else has received it?

Norton have a 'virus identification' service - there is some software (which may come with Norton AntiVirus?) or you can download from their site. It securely uploads the infected e-mail to them, and they will analyse it and either tell you what virus it is, or investigate if it is a new one.

If so, they should name it the 'SheffieldForum.Virus'
;)

Originally posted by ncrossland
Martin_s, reminds me of last summer when the SoBig virus was, er so big: http://www.nickcrossland.co.uk/stuff/sobig.gif

BBC News: Mydoom spreading as fast as Sobig - The latest e-mail computer virus could be worse than last year's Sobig worm which infected millions of computers - more (http://news.bbc.co.uk/1/hi/technology/3432639.stm)

I don't know about anyone else who has multiple e-mail domains, but I'm still getting a hammering. I've disabled 'catch all' where possible and this has helped to reduce it, but even so... :o

Originally posted by ncrossland
I think Norton only checks for updates when you first connect (mine just updated when I switched on today). Can you imagine the server load if everyone was pinged and prompted to download their update at the same time!
Nah... if it's set up right it will check at regular intervals and then grabs the update if it's available..

Given the info' people have provided though it was something that Geoff spotted right at the very beginning and just at the point when all the AV vendors would have been jumping to get an updated definition file out... so it was probably just a case of timing.

Currently getting swamped by these damned things now though... :mad:

Any SHU students on here?

Has the network gone down or something?
There's no email or website.

There are several SHU students here.
You're right about their web server.
I'm guessing this virus that's doing the rounds may have knackered some of their services.

Nomme

Yep, i've a mate who reckon's its the mydoom virus - they are having trouble with it where he works.

We have a pretty good firewall here at work and I have still had about 10 emails with (probably) virus attachments get through to me today. Regular email seems to be really slow today, maybe the virus is just slowing everything down.

the removal instructions on symantec's website have been updated recently (3pm)


http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Requires a safe mode restart and the deletion on C:\%system%\shimgapi.dll plus some modification of registry keys.

shimgapi.dll is run by EXPLORER.exe so it cannot be shut down under normal circumstances, hence the safe mode bit.

*sigh* I wish they had told me this last night, although my host is now purging mailboxes.

Still ZA Pro did stop it from using the local mailserver or its own SMTP to send any more outgoing mails.

Originally posted by rarstar
Any SHU students on here?

Has the network gone down or something?
There's no email or website.

SHU's power has gone down, AFAIK its still not back up yet.

hmm power cut on crescent road too

so what does this virus do then??

sorry im not all up to date on the comp front and am a bit thick :( :confused:

Originally posted by Fletch
so what does this virus do then??

sorry im not all up to date on the comp front and am a bit thick :( :confused: http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

thing is, its another "open my attachment" email, if you open them without AV software then really its your own fault if you get infected.

The only reason I opened this file, even though I knew it was a virus was that had not been picked up by NAV on mail scanning or a direct scan of the file.

Even after infection NAV wouldn't pick it up - 'twas too new.

My smug sophos running friend told me (after I sent him a copy of the infected email) that sophos picked it up straight away.

But I was pretty sanguine in that ,apart from 7GB of newly ripped music, I have invested little in this new machine so far, so I went ahead and opened it.

And I was able to warn lots of people to back up their mail servers and avoid getting swamped.

[edit]
Symantec now have a removal tool here: http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html

Security firms are warning that a new strain of the Mydoom virus could spread more widely than its predecessor.
They fear that the thousands of PCs infected by the first Mydoom bug are being used to spread the new variant. The second strain, called Mydoom.b, is programmed to attack the websites of Microsoft and software firm SCO. Mydoom is now ranked as one of the largest virus outbreaks ever and at its height made up 30% of all e-mail traffic, according to anti-virus firms... more (http://news.bbc.co.uk/1/hi/technology/3439959.stm)

Time to update the virus definitions again ;)

I went off to update my virus definitions after reading this thread (not leaving it to live update) Since doing that I've had a complete nightmare :mad:

When I rebooted it told me I had no virus definitions at all and the pc kept freezing then crashing ( I do HATE that blue screen). So I uninstalled Norton System Works and then reinstalled it and it all seemed fine - the virus definitons were uploaded with no problems

Only it carried on freezing and crashing. Computer illiterate as I am I worked out that it'd had only been a prob since I tried to update the virus definitons so I turned off live update and I've had no more problems.

BUT

I can't keep my virus definitions up to date.

I did a search on Google to see if anyone else was having similar problems and it seems I'm not the only one having problems. I took the advice on one site to go to the ASA on the Symantec site and it's telling me I have an unsupported version of System works and Virus definitions. Now I had been waiting for them to notify me it was time to renew my subscription (like last year) but on checking the LiveUpdate thing on System Works it said I had 366 days left so I assumed I'd paid for a 2 yr subscription without realising ...

Obviously that's not the case (although I don't get how I was able to reinstall the virus definitions using Live Update after I'd reinstalled Systems Works if I needed to renew my subs but then I'm probably being thick here) and I am loathe to renew with Symantec now before finding out what other people use/ recommend.

I'd be greatful if anyone had any advice to offer on this ( I have Norton System works on Windows 98 atm) :confused: (Partic interested in Sophos Phan but would like to know more)

I once nearly killed my computer by installing two different virus killing sofware packages (how was I to know better) apparently they think each other is a virus - then blue screen of death.

Don't do it!

Just one that works would do me :rolleyes:

Norton is one of the best, but you would be better off buying Norton AntiVirus 2003 or 2004 - the standalone software. It will cost you around £30-35 but this gives you a year's worth of free updates. After that it costs about £10 per year to keep it up-to-date.

Someone I know had a similar problem with LiveUpdate crashing their PC. When you boot-up it basically tries to connect to the internet and see if there is an update. This seems a little buggy (she's on Windows Millenium) and causes the PC to crash.

Anyway, try the full Norton package or just use a free alternative like the AVG one I use ;)

ARGH!

Having done various Google searches I keep coming back to links about the problem not being a Symantec problem but something to do with Veri sign certs running out and the problem not having been solved.



Veri sign (http://www.verisign.com/corporate/news/2004/pr_20040109.html?sl=070807)

If this is the case I don't want to by another version of NAV cos it's still saying I have 364 days (today) left and it's not asking me to renew my subscription (and it did do this last year)

I am on the verge of uninstalling Norton System works totally and installing the free anti virus thing you suggested Geoff I just want to know if i'm misunderstanding that link because I'm not entirely sure if they mean they are working on the problem (and there is therefore nothing I can do ) or if I should be doing something ( not sure what mind ) to get the new cert :confused:

Why oh Why do people still pay for anti virus software, when there is free software out there that does the same job if not better.


AVG Antivirus Software is free, with free updates AVG (http://www.grisoft.com/us/us_index.php)

well they have a free version, but AVG 7 is a paid for product.

Lack of scheduling makes it a bit hit and miss IMO

Scheduling seems to work fine for me on the free version :) And it can do scheduled updates too. However, what we should really focus on is how to fix Sian's problem. If there is a year left then it would be best sticking with Norton - at least for value-for-money reasons.

I THINK it's sorted - I downloaded the thingy it suggested and now I have the up- to- date Veri sign cert and a pc that doesn't freeze or crash when I try doing live update...

I won't feel totally convinced until there's a new virus definition available to download so I can test this out but I'm going to leave it alone for a few days now I think :-/

Sorry for going horribly off topic Geoff:blush:

I had a horrible feeling all wasn't right with NAV so I uninstalled it and have installed AVG as you suggested Geoff. It's in the middle of a scan but it says it's found a virus (which obviously NAV didn't pick up (grrrr) so thank you :)