An explosion in malicious program activity undoubtedly points to serious preparations made by virus writers. This included the creation of a network of infected computers; when the number of computers in the network reached critical mass a command was sent to mail out Novarg. This is the same approach used previously by the email worm Sobig.F
Detailed analysis of the geographic spread of the worm leads to the assumption that Novarg was created in Russia.
>>>> Prevention, diagnosis and protection
Novarg spreads via the Internet in two ways: via email and via the KaZaA file-sharing network.
Infected messages have a random, falsified sender's address, 8 possible message headers, 18 possible attachment names and 5 possible extensions to attached files. Additionally, the worm spreads in messages where the message header, message body and attachment name contain a nonsensical collection of random characters. Such variability makes it far more difficult for users to independently identify infected messages.
Novarg appears in the KaZaA network under various names, including "winamp5", "icq2004-final" and with various extensions, such as bat, exe, scr, pif and others.
If a user is thoughtless enough to launch the infected file, either from an email or downloaded from the KaZaA network Novarg initiates installation procedures and propagation routines.
Immediately after being launched Novarg opens a Notepad window which shows a series of random characters.
At the same time Novarg creates two files in the Windows folder: taskmon.exe (the worm carrier) and shimgapi.dll (a Trojan program to remotely control the infected machine). The worm registers these files in the system registry auto run key to ensure that the malicious program is activated every time the computer is restarted.
Novarg then initiates its propagation routine. The worm scans the disk for email addresses (files with extensions such as htm, wab, txt and others) and, unbeknownst to the user, sends infected emails to these addresses. In addition, Novarg checks whether or not the infected machine is connected to the KaZaA network: if a connection is open, the worm copies itself into the public folder for file exchange.
Novarg carries a very dangerous payload. Firstly, the worm installs a proxy server on the infected computer. Malefactors can then use this module in spamming or in mass-mailing new versions of the malicious program.
Secondly, Novarg installs a backdoor (a utility for unauthorized remote control) thus allowing the virus writer to control the infected machine. The backdoor makes it possible to steal, change or delete data, install third-party programs and so forth.
Thirdly, Novarg contains an inbuilt module for organizing a DoS attack on www.sco.com. This module will be activated between 1st February and 12th February 2004. During this period all infected machines will query this site, which may cause it to crash.
"The danger of the integration of virus and spam technologies to create united, dedicated networks for cyber-criminals is becoming a reality. We have detected two malicious programs within the first two days of this week that illustrate this trend", comments Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Labs, "This problem may well signal a new era in computer virology in the near future, an era marked by even more frequent and serious outbreaks".
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.