Virus sent from CMMODS warning

[Viceroy]

I just got sent a virus from CMMODS, so be careful if you get any email from administration@cozog.com

The virus is called W32.Beagle.M@mm and details can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html

My Nortons nailed it straight away, so update your virus software if you have to.

[_Axe_]

I just got an e-mail from a forum member saying they got one too but it came with a message that said the "Cozog.com team" had suspended his account because of unauthorized access to the cozog.com server.

Very strange. Heads up everyone.

[_Axe_]

The W32.Beagle.M@mm is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through email. Like previous Beagle variants, this worm opens a backdoor (it listens on TCP port 2556) and attempts to spread through file-sharing networks by copying itself to folders that contain "shar" in their names. W32.Beagle.M@mm also infects files with the EXE extension.

The email has the following characteristics:

From: Spoofed to appear as though it is coming from the one of the following addresses at the recipient's domain:

* management

* administration

* staff

* noreply

* support

Subject: One of the following:

* Account notify

* E-mail account disabling warning.

* E-mail account security warning.

* E-mail technical support message.

* E-mail technical support warning.

* E-mail warning

* Email account utilization warning.

* Email report

* Encrypted document

* Fax Message Received

* Forum notify

* Hidden message

* Important notify

* Important notify about your e-mail account.

* Incoming message

* Notify about using the e-mail account.

* Notify about your e-mail account utilization.

* Notify from e-mail technical support.

* Protected message

* RE: Protected message

* RE: Text message

* Re: Document

* Re: Hello

* Re: Hi

* Re: Incoming Fax

* Re: Incoming Message

* Re: Msg reply

* Re: Thank you!

* Re: Thanks

* Re: Yahoo!

* Request response

* Site changes

Attachment: A randomly named .exe file, stored inside a .zip file or a .rar file, or a .pif file. The .zip and .rar files file may be password-protected. The file name, without the extension, is one of the following:

* Attach

* Details

* Document

* Encrypted

* Gift

* Info

* Information

* Message

* MoreInfo

* Readme

* Text

* TextDocument

* details

* first_part

* pub_document

* text_document

[Herr Kruger]

Are you okay as long as you don't open the attachment? Even if you don't have any sort of Antivirus software...

J Kruger

[_Axe_]

Originally posted by Herr Kruger:

Are you okay as long as you don't open the attachment? Even if you don't have any sort of Antivirus software...

J Kruger

Yes, just delete it. And get some antivirus software. It's worth the investment.

[Wicky]

Opening it up, it appears to be to nuisance kiddy script (don't worry I've got a Mac

Hacking into the actual e-mail seems to link up with a return path to edit: Sorry to Martin for inferring that he was in any way responsible for the dissemination of the virus

!217.5.97.137SOFTWARE\winupd.exe\

cCLEANER3.EXEaud3da{te!PC AVproctw9xMGRDION016PF9X20NT

6VWNB181TDW=kXICSSUPP

DEFmTCHPUTY

RaSET/R+EAESCH95XXQU%

[VgPDXTIVIRUS-C',FAS`ErLLLOW

blah blah

KERNEL32.DLLadvapi32.dllgdi32.dllole32

.dllSHELL32.dllshlwapi.dllurlmon.dlluser32

.dllwininet.dllwsock32.dllLoadLibraryAGet

ProcAddressExitProcessRegCloseKeyDeleteDCCoInitializeShellExecuteAStrDup

AURLDownloadToFileADrawTextAInternet

GetConnectedStaterecvh6dzmn&

blah blah

[ March 21, 2004, 05:22 AM: Message edited by: Wicky ]

[Lou2000]

Cozog.com has just become a temporary addition to my 'Blocked' email address list.

Thanks for the warning.

I cant believe ANYBODY runs without a virus checker these days ! If you dont want to buy one try AVG antivirus ...... its free.

[Firefly]

Originally posted by Wicky:

Opening it up, it appears to be to nuisance kiddy script (don't worry I've got a Mac

Hacking into the actual e-mail seems to link up with a return path to "martin.gregory(at)bigpond.com"

Well Martin is a regular here and part of the CM community. I'm currently playing him myself. I doubt he is spreading this deliberately.

[Andreas]

The funniest virus I got was one that was sent from my work address to my work address.

The problem is that now our admins have clamped down on emails using trigger words, and a lot of legit stuff gets stuck in their net with no warning that it has not been delivered.

Brought to you by Bill Gates and the muppets at Microsoft.

[beady]

Originally posted by Viceroy:

My Nortons nailed it straight away, so update your virus software if you have to.

Ditto. I got the original, plus three or four more from infected computers. My own AV "F-Prot" nailed it as it came in. Best $30 I spend, every year! And to think that I was starting to get annoyed at the more-than-daily automatic updates that have become necessary!

Here's a tip: to make it easier for my AV software, *all* my downloads, including email attachments, go into a special, single "downloads" folder.

Now, does this mean that the CMMODS web site is unusable for the time being?

[ March 20, 2004, 01:40 PM: Message edited by: beady ]

[Jussi Köhler]

Npe, dont think so. The damn virus is so sneaky it sends itself forward even though no files at CMMODS are infected. Thats what I think at least.

Scan all your downloads just to be sure. Or dont download any mods for a few days. No worries, it might be sneaky but its not a Super-Doomsday Virus, thats for sure.

[Rob Murray]

Friggin nuisance anyway, thanks for the warning.

[Heinzi]

I got the mail, too.

But when does the virus infect my pc. When I open the attachment (a zip file) or when I click on the mail in outlook?

I deleted the mail anyway, but reading the text is still allowed I hope

[Sergei]

"Now, does this mean that the CMMODS web site is unusable for the time being?"

I doubt CMMODS is really infected. The e-mail probably wasn't sent from the displayed address. These viruses usually make up a bogie e-mail address, something like administration@battlefront.com or frank@battlefront.com , or look up an address from the address book.

[Rob Murray]

I wouldn't chance downloading anything until COG gives the " all clear " ( just to be on the safe side ).

[Dawg Bonz]

Thanks for the heads up. I just got 3 "Re: E-mail account security warning." messages sent to my Mac ... deleted.

Too bad the not so friendly folks doing the virus infection to COG can't find more productive use of their leisure time.

[Juju]

No need to get paranoid. All a hacker/spammer needs to make it look like something is sent from a specific person or site is an email address. Heck, I even get spam that's supposedly sent to me by myself (pretty sure it wasn't me, though. ), and I'm sure my computer isn't infected with a virus.

[tooz]

I got three today, but they were all placed in my junk folder, which I rarely open anyway. All three announced "Security warning".

Sent them to cyber hell. :mad:

[GreenAsJade]

Originally posted by Firefly:

</font><blockquote>quote:</font><hr />Originally posted by Wicky:

Opening it up, it appears to be to nuisance kiddy script (don't worry I've got a Mac

Hacking into the actual e-mail seems to link up with a return path to "martin.gregory(at)bigpond.com"

Well Martin is a regular here and part of the CM community. I'm currently playing him myself. I doubt he is spreading this deliberately. </font>

[Chipaev]

OMG 1337 HaX0RZ! Banz0r h1m!

J/k

[beady]

Originally posted by GreenAsJade:

Despite this, because the virus is pretending to be from me, my Inbox is filling up with bounce messages saying "the virus you sent has been blocked blah blah" :mad: :mad: :mad:

GaJ.

I've been on that end of things, myself. You have my condolences.

The good news is that the attack seems to be over. I got just that first spate of five or so messages, and nothing since (it's been 24 hours). The first message was the actual Virus Warning, the others were from what looks to be a mailing list of French and Finnish CMMODS users who also received the warning (Phillippe, Pascal and Anti - Hi, Guys!) - they discussed this in their emails.

So, it would seem that the originating, infected computer belongs to someone who uses CMODDS. I posted a couple of music mods there, which is the only way I can think of that my address could have been harvested from that site.

[Mad Russian]

Originally posted by beady:

[/qb]

So, it would seem that the originating, infected computer belongs to someone who uses CMODDS. I posted a couple of music mods there, which is the only way I can think of that my address could have been harvested from that site. [/QB]

[Richie]

Hmmm, yeah, I got some crappy emails too, but you can't blame CMMODs.

What we really need to do is send the wankers who write these viruses straight to the electric chair.

I've always liked my steaks well done...

[GJK]

I really want to be careful here, but I had to comment....

GaJ, your upload to CMMODS is an executable file, McMMM - obviously the most likely type of file to be infected with a virus, where as everyone else uploads .zips of .bmps or .wavs - not likely to get infected. I'm just wanting to make sure that perhaps your McMMM hasn't become the infected file on CoG's server.

FWIW, I just downloaded McMMM again and scanned it - came up clean on Norton Corporate AV.

[ March 21, 2004, 10:49 AM: Message edited by: GJK ]

[GreenAsJade]

Good that someone checked McMMM. Glad to hear the copy at CMMODS is clean.

GaJ.