Virus Alert: W32.Novarg.A (Jan. 27, 2004)

Windows "W32.Novarg.A@mm" worm reported on campus (01/27/04)

W32.Novarg.A@mm, a Windows worm that has received considerable media attention, has been reported at Cornell. W32.Novarg.A@mm infects computers running Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. Computers running Macintosh, Linux, UNIX, OS/2, DOS, and Windows 3.x are not affected.

W32.Novarg.A@mm is also known as W32/Mydoom@MM and WORM_MIMAIL.R.

As of 8:17 p.m. on January 26, 2004, Cornell Information Technologies has been blocking incoming e-mail messages containing the worm. All members of the Cornell community should also update their anti-virus software (see below).

What to Watch For

W32.Novarg.A@mm is contained in an e-mail attachment. The subject of the message varies, and the attachment is a random name followed by .bat, .cmd, .exe, .pif, .scr, or .zip.

Do not open the attached file. If launched, W32.Novarg.A@mm will infect the computer and attempt to gain access to network resources. It will also attempt to download and execute random files.

Detailed description (from Symantec)

Potential Eudora Problem

Eudora may become confused if both PureMessage and Symantec AntiVirus try to clean up the same message containing this worm. When this happens, Eudora may complain that it has lost a temporary file and stop downloading new mail; subsequent attempts to download new mail may cause the same error message to appear. The solution is to delete the infected message. Use Eudora's task window to identify the message that's causing the problem, then use WebMail to delete that one message so that Eudora will be able to download the rest of your mail.

How to Avoid It

Update your Symantec AntiVirus software and perform a complete system scan. W32.Novarg.A@mm is detected by Symantec AntiVirus software that has been updated to the January 26, 2004, virus definition file, or a newer file.

To update, run Symantec AntiVirus and choose Live Update. Or download the file via Bear Access (Virus Protection folder) or from Symantec's download site. Cornell University has signed a site license with Symantec to provide Symantec AntiVirus (SAV) to the entire campus community. The license allows SAV to be used on all university-owned computers, home computers of staff and faculty, and computers owned by registered students.

Also see CIT's tips for making Eudora more resistant to viruses/worms.

How to Get Rid of It

Symantec has provided instructions for removing this worm. If you need additional assistance, please contact the CIT Contact Center (HelpDesk) at 255-8990 or helpdesk@cornell.edu.

First published: January 27, 2004
Last modified: June 04, 2007