Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New MyDoom Variant - MEDIUM-ON-WATCH

  • Please log in to reply
5 replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:03:34 AM

Posted 26 July 2004 - 07:29 PM

New MyDoom Variant - MEDIUM-ON-WATCH

Attachments to avoid: EXE, COM, SCR, PIF, BAT, CMD, ZIP (may be doubly ZIPped)

Posted Image

This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:

- mass-mailing worm constructing messages using its own SMTP engine
- harvests email addresses from the victim machine
- spoofs the From: address
- contains a peer to peer propagation routine


BC AdBot (Login to Remove)



#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,395 posts
  • Gender:Male
  • Location:USA
  • Local time:02:34 AM

Posted 26 July 2004 - 11:19 PM

I just got one of these emails today :thumbsup:

#3 jgweed


  • Staff Emeritus
  • 28,473 posts
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:02:34 AM

Posted 27 July 2004 - 10:11 AM

This was the subject of an US-CERT Security Alert issued yesterday (SA04-208A):

This variant of MyDoom (known as MyDoom.M or MyDoom.O) is
significant because it seems to be conducting searches on
addresses it harvests from infected computers. Therefore, not
only is email activity affected, response times in many popular
search engines may be dramatically reduced.

Whereof one cannot speak, thereof one should be silent.

#4 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:03:34 AM

Posted 27 July 2004 - 10:25 AM

MyDoom virus KOs 4 search engines

That includes Google, which is preparing to go public.

USA TODAY 27 July 04

SEATTLE - The latest version of the MyDoom e-mail virus, MyDoom.M, fooled tens of thousands of computer-savvy workers into triggering a disruption that knocked Internet search sites Google, Yahoo, Lycos and AltaVista off line for several hours yesterday.

MyDoom.M lured office workers facing stuffed post-weekend in-boxes into opening a folder presumably holding details about an undeliverable message. As with previous versions of the virus, that action sent copies of the virus to all e-mail addresses on the victim's hard drive.

The new twist: MyDoom.M, hunting for more e-mail addresses to spread itself to, also generated search queries to four of the largest search sites.

The deluge knocked Google off line as it is trying to look its best for an initial public offering. The FBI has opened an investigation, but so far believes the timing was coincidental. Google is preparing one of the largest tech stock offerings ever when cybercrooks, by many measures, seem to be gaining the upper hand on Internet security.

Google said a small percentage of patrons were affected, and its Web site was not significantly impaired. Yahoo said a small number of users were affected. Lycos and AltaVista declined comment.

The latest virus underscores growing concern about the changing nature of hack attacks. "Viruses used to destroy data," says Bruce Townsend, deputy assistant director for investigations at the U.S. Secret Service. Now, he says, viruses are designed to filch data or "take it hostage."
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,522 posts
  • Gender:Male
  • Local time:01:34 AM

Posted 27 July 2004 - 10:36 AM

I just got an email from Kaspersky news. Something I didn't see posted clearly that makes this even worse:

Mydoom.m didn't only cause search engines to malfunction; its main
malicious payload is a backdoor function. Once the worm has penetrated
the victim machine, it opens a port to receive remote commands. Virus
writers will then have full control over the infected machine, and will
be able to delete or modify data steal information, and install other
programs at will.

An urgent update for Kaspersky Anti-Virus databases has already been
released, and a detailed description of I-Worm.Mydoom.m
(http://www.viruslist.com/eng/viruslist.html?id=1927276) is now
available in the Kaspersky Virus Encyclopaedia.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson

#6 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:03:34 AM

Posted 27 July 2004 - 07:09 PM

"SLATE" Magazine article claims...

"Fight Virus With Virus
That's the only way to stop MyDoom."


Go get 'em White-Hat-Hackers!!!

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users