New MyDoom Variant - MEDIUM-ON-WATCH

New MyDoom Variant - MEDIUM-ON-WATCH impacting Google & search engines also

#1 harrywaldron

Security Reporter

Group: Members
Posts: 509
Joined: 10-April 04
Gender:Male
Location:Roanoke, Virginia

Posted 26 July 2004 - 07:29 PM

New MyDoom Variant - MEDIUM-ON-WATCH
http://secunia.com/virus_information/10755/
http://secunia.com/virus_information/10879
http://vil.nai.com/vil/content/v_127033.htm
http://www.trendmicro.com/vinfo/virusencyc...e=WORM_MYDOOM.M
http://www.sarc.com/avcenter/venc/data/w32.mydoom.m@mm.html

Attachments to avoid: EXE, COM, SCR, PIF, BAT, CMD, ZIP (may be doubly ZIPped)

EXAMPLE:
Posted Image

This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:

- mass-mailing worm constructing messages using its own SMTP engine
- harvests email addresses from the victim machine
- spoofs the From: address
- contains a peer to peer propagation routine

FREE CLEANING TOOL
http://vil.nai.com/vil/stinger/

Microsoft Security Journal

#2 Grinler

Bleep Bleep!

Group: Admin
Posts: 36,174
Joined: 24-January 04
Gender:Male
Location:USA

Posted 26 July 2004 - 11:19 PM

I just got one of these emails today :thumbsup:

Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!

#3 jgweed

Forum Addict

Group: Global Moderator
Posts: 27,228
Joined: 11-April 04
Gender:Male
Location:Chicago, Il.

Posted 27 July 2004 - 10:11 AM

This was the subject of an US-CERT Security Alert issued yesterday (SA04-208A):

This variant of MyDoom (known as MyDoom.M or MyDoom.O) is
significant because it seems to be conducting searches on
addresses it harvests from infected computers. Therefore, not
only is email activity affected, response times in many popular
search engines may be dramatically reduced.

Regards,
John

Whereof one cannot speak, thereof one should be silent.

#4 KoanYorel

Bleepin' Conundrum

Group: Staff Emeritus
Posts: 19,461
Joined: 26-April 04
Gender:Male
Location:65 miles due East of the "Logic Free Zone", in Md, USA

Posted 27 July 2004 - 10:25 AM

MyDoom virus KOs 4 search engines

That includes Google, which is preparing to go public.

BYRON ACOHIDO and JON SWARTZ
USA TODAY 27 July 04

SEATTLE - The latest version of the MyDoom e-mail virus, MyDoom.M, fooled tens of thousands of computer-savvy workers into triggering a disruption that knocked Internet search sites Google, Yahoo, Lycos and AltaVista off line for several hours yesterday.

MyDoom.M lured office workers facing stuffed post-weekend in-boxes into opening a folder presumably holding details about an undeliverable message. As with previous versions of the virus, that action sent copies of the virus to all e-mail addresses on the victim's hard drive.

The new twist: MyDoom.M, hunting for more e-mail addresses to spread itself to, also generated search queries to four of the largest search sites.

The deluge knocked Google off line as it is trying to look its best for an initial public offering. The FBI has opened an investigation, but so far believes the timing was coincidental. Google is preparing one of the largest tech stock offerings ever when cybercrooks, by many measures, seem to be gaining the upper hand on Internet security.

Google said a small percentage of patrons were affected, and its Web site was not significantly impaired. Yahoo said a small number of users were affected. Lycos and AltaVista declined comment.

The latest virus underscores growing concern about the changing nature of hack attacks. "Viruses used to destroy data," says Bruce Townsend, deputy assistant director for investigations at the U.S. Secret Service. Now, he says, viruses are designed to filch data or "take it hostage."

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 Papakid

Guru at being a Newbie

Group: Malware Response Team
Posts: 6,019
Joined: 08-April 04
Gender:Male

Posted 27 July 2004 - 10:36 AM

I just got an email from Kaspersky news. Something I didn't see posted clearly that makes this even worse:

Quote

Mydoom.m didn't only cause search engines to malfunction; its main
malicious payload is a backdoor function. Once the worm has penetrated
the victim machine, it opens a port to receive remote commands. Virus
writers will then have full control over the infected machine, and will
be able to delete or modify data steal information, and install other
programs at will.

An urgent update for Kaspersky Anti-Virus databases has already been
released, and a detailed description of I-Worm.Mydoom.m
(http://www.viruslist.com/eng/viruslist.html?id=1927276) is now
available in the Kaspersky Virus Encyclopaedia.

And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#6 KoanYorel

Bleepin' Conundrum

Group: Staff Emeritus
Posts: 19,461
Joined: 26-April 04
Gender:Male
Location:65 miles due East of the "Logic Free Zone", in Md, USA

Posted 27 July 2004 - 07:09 PM

"SLATE" Magazine article claims...

"Fight Virus With Virus
That's the only way to stop MyDoom."

<http://slate.msn.com/id/2104432/>

Go get 'em White-Hat-Hackers!!!

:thumbsup:

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)