Novarg: New Worm - New Epidemic
27 Jan 2004
Kaspersky Lab, a leading information security software developer has detected that a dangerous new Internet worm, Novarg (also known as Mydoom). In just a few hours this malicious program caused a global epidemic, infecting approximately 300 thousand computers throughout the world. This incident is the most serious outbreak so far this year, and shows every sign of breaking replication records set in 2003.
An explosion in malicious program activity undoubtedly points to serious preparations made by virus writers. This included the creation of a network of infected computers; when the number of computers in the network reached critical mass a command was sent to mail out Novarg. This is the same approach used previously by the email worm Sobig.F
Detailed analysis of the geographic spread of the worm leads to the assumption that Novarg was created in Russia.
Prevention, diagnosis and protection
Novarg spreads via the Internet in two ways: via email and via the KaZaA file-sharing network.
Infected messages have a random, falsified sender's address, 8 possible message headers, 18 possible attachment names and 5 possible extensions to attached files. Additionally, the worm spreads in messages where the message header, message body and attachment name contain a nonsensical collection of random characters. Such variability makes it far more difficult for users to independently identify infected messages.
Novarg appears in the KaZaA network under various names, including winamp5, icq2004-final and with various extensions, such as bat, exe, scr, pif and others.
If a user is thoughtless enough to launch the infected file, either from an email or downloaded from the KaZaA network Novarg initiates installation procedures and propagation routines.
Immediately after being launched Novarg opens a Notepad window which shows a series of random characters.
At the same time Novarg creates two files in the Windows folder: taskmon.exe (the worm carrier) and shimgapi.dll (a Trojan program to remotely control the infected machine). The worm registers these files in the system registry auto run key to ensure that the malicious program is activated every time the computer is restarted.
Novarg then initiates its propagation routine. The worm scans the disk for email addresses (files with extensions such as htm, wab, txt and others) and, unbeknownst to the user, sends infected emails to these addresses. In addition, Novarg checks whether or not the infected machine is connected to the KaZaA network: if a connection is open, the worm copies itself into the public folder for file exchange.
Novarg carries a very dangerous payload. Firstly, the worm installs a proxy server on the infected computer. Malefactors can then use this module in spamming or in mass-mailing new versions of the malicious program.
Secondly, Novarg installs a backdoor (a utility for unauthorized remote control) thus allowing the virus writer to control the infected machine. The backdoor makes it possible to steal, change or delete data, install third-party programs and so forth.
Thirdly, Novarg contains an inbuilt module for organizing a DoS attack on www.sco.com. This module will be activated between 1st February and 12th February 2004. During this period all infected machines will query this site, which may cause it to crash.
"The danger of the integration of virus and spam technologies to create united, dedicated networks for cyber-criminals is becoming a reality. We have detected two malicious programs within the first two days of this week that illustrate this trend", comments Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Lab, "This problem may well signal a new era in computer virology in the near future, an era marked by even more frequent and serious outbreaks".
Kaspersky® anti-virus databases have already been updated with protection against Novarg.
A detailed description of Novarg is available in theKaspersky Virus Encyclopedia