Unable to remove Mydoom/Novarg worm

[Devon Miles]

The above worm was contained in an e-mail attachment received via Entourage,
and started mailing itself immediately to other people. Took the box off the
net and ran NAV8 (latest virus defs installed), which didn't find anything.
Deleted the offending mails, but Entourage keeps going. No removal tools
available on Symantec's Security Response, as OS X is not listed as an
affected platform. Wasn't aware that this would be an issue on OS X, how do
I get rid of it ?

Any advice highly appreciated..

 

[Mickey Stevens]

This doesn't make sense. The Mydoom/Novarg virus isn't compiled for Mac, so
it can't run. It couldn't have mailed itself to other people from your Mac
unless you use Virtual PC or similar software.

You certainly could be receiving bounce messages and copies of the virus,
since it might be using your address to send itself, even though your
computer isn't the one that's sending it.

I wonder what is going on. Go to Window -> Progress in Entourage and stop
all tasks. Then go to the Outbox and delete whatever is in there. Does
that help?

(By the way, the latest version of Norton AntiVirus
<http://www.symantec.com/nav/nav_mac/index.html>, 9.0, checks for Windows
viruses like Novarg/Mydoom as well as Mac ones.)

 

[Corentin Cras-Méneur [MVP]]

Took the box off the
net and ran NAV8 (latest virus defs installed), which didn't find anything.
Deleted the offending mails, but Entourage keeps going. No removal tools
available on Symantec's Security Response, as OS X is not listed as an
affected platform. Wasn't aware that this would be an issue on OS X, how do
I get rid of it ?

BTW, NAV-M 8 doesn't detect windows viruses (only NAV-M 9 does) so what
you describe is no big surprise. Simply trash the mail and you're done.

You don;t need a removal tool since your mac si not succeptible to these
viruses.

Entourage is not mailing anything to other users.
You might get warnings that a mail you *are supposed to have sent* was
infected though.

This virus spoofs the sender's address with what it finds in the address
book. This only means that someone swho has your name in his address
book got infected.

I would sit back and relax ))

If you don't believe me, here is what Symantec says about this virus:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.s@mm.
html

Systems Not Affected:
DOS, Linux, Macintosh, OS/2, UNIX


Corentin

 

[Devon Miles]

||
|| BTW, NAV-M 8 doesn't detect windows viruses (only NAV-M 9 does) so
|| what
|| you describe is no big surprise. Simply trash the mail and you're
|| done.
||
|| You don;t need a removal tool since your mac si not succeptible to
|| these viruses.
||
|| Entourage is not mailing anything to other users.
|| You might get warnings that a mail you *are supposed to have sent*
|| was infected though.
||
|| This virus spoofs the sender's address with what it finds in the
|| address book. This only means that someone swho has your name in his
|| address
|| book got infected.
||
|| I would sit back and relax ))
||

Thanks for your input, mates. FWIW, I'd like to get a better understand what
has happened. Let me explain the situation in more detail:

I first received (and automatically previewed) a potentially infected mail
in Entourage. I didn't notice any unusual behavior at that point. I then
composed a new mail to a customer and attached a number of .jpg attachments
and a Word document. After sending the mail, it got bounced by the remote
mail server, along with a warning about a potentially mailicious executable.
When opening the returned mail, it contained the said document.zip and only
4 out of 8 .jpg attachments. Additionally, my sent folder contained mails
with document.zip attached. The recipients of these mails were not from my
address book.
Curious to see what worm I had, I forwarded this customer mail from my sent
folder to my Windows XP box (up-to-date virus scanner etc. installed) and it
detected the said worm. So I took the mac laptop off the net and cleared all
mails and ran NAV.

The part I'm not quite understanding is, how could the worm attach itself to
this mail in my sent items folder (the one sent to my customer), and do this
whenever I resend this mail to any mail account? I'm not talking about
forwarding a bounced mail, but the supposingly clean mail in my sent items
folder which shows all .jpg and .doc attachments. How did it get infected in
the first place? I deleted the infected bounced mail right away.

I hope I'm not too thick here... Thanks so far!

Devon

 

[Corentin Cras-Méneur [MVP]]

Thanks for your input, mates. FWIW, I'd like to get a better understand what
has happened. Let me explain the situation in more detail:

I first received (and automatically previewed) a potentially infected mail
in Entourage. I didn't notice any unusual behavior at that point.

What kind fo attachment did the mail contain. Do you still have it ??
Did you open a WOrd or Excel Document ??

I then
composed a new mail to a customer and attached a number of .jpg attachments
and a Word document. After sending the mail, it got bounced by the remote
mail server, along with a warning about a potentially mailicious executable.

It could be the Word document....

When opening the returned mail, it contained the said document.zip and only
4 out of 8 .jpg attachments. Additionally, my sent folder contained mails
with document.zip attached. The recipients of these mails were not from my
address book.

Really weird. I'm not sure this could be MyDoom since this virus
supposedely spoofs the sender's e-mail address. You wouldn't get any
warning mail in return.

Curious to see what worm I had, I forwarded this customer mail from my sent
folder to my Windows XP box (up-to-date virus scanner etc. installed) and it
detected the said worm. So I took the mac laptop off the net and cleared all
mails and ran NAV.

It could be another one. Did NAV say which Worm it was supposed to be ??

The part I'm not quite understanding is, how could the worm attach itself to
this mail in my sent items folder (the one sent to my customer), and do this
whenever I resend this mail to any mail account? I'm not talking about
forwarding a bounced mail, but the supposingly clean mail in my sent items
folder which shows all .jpg and .doc attachments. How did it get infected in
the first place? I deleted the infected bounced mail right away.

I hope I'm not too thick here... Thanks so far!

It's a little hard to know whether knowing exactly what Worm this could
be. Could you drag a few of these mails with .zip attachment to the
desktop, compact them and send them to me by e-mail ??
(e-mail address removed)


Corentin

 

[Devon Miles]

|| It's a little hard to know whether knowing exactly what Worm this
|| could
|| be. Could you drag a few of these mails with .zip attachment to the
|| desktop, compact them and send them to me by e-mail ??

In the meantime, I deleted all suspicious mails and the problem seems gone.
Thanks for your help mate, much appreciated.

Devon

 

[Corentin Cras-Méneur [MVP]]

Hi Devon,

In the meantime, I deleted all suspicious mails and the problem seems gone.
Thanks for your help mate, much appreciated.

I'm really glad you managed to get the problem fixed ))))


Corentin