MyDoom Worm hitting hard and fast

Villain

Well I was working the night Shift tonight and we got hit hard with this worm, we ended up having to block litterally every attachment until we can get the 4319 dat file onto our servers and pc's.

The worms details are:

Mydoom.A Worm Rampant in the Wild: Mydoom.A, aka Novarg, Shimg, and MiMail.R, is a new randomized e-mail worm that
spreads via e-mail and P2P networks, installing a backdoor Trojan horse. It ranges in size, with file sizes such as 22,646 bytes and
22,528 bytes. Over 100,000 interceptions of Mydoom have been made in just a few hours.
E-mails sent by Mydoom.A have randomized subject, body and attachment characteristics. Mydoom may have a multithreaded SMTP
engine, opening several threads at once to rapidly spread in the wild.
Subjects are randomized, but include strings such as "error", "HELLO", "hi", "mail delivery system", "mail transaction failed", "server
report", "status" and "test". The body is also randomized, with text such as the following:
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.
• test
Randomized attachments may have a BAT, CMD, EXE, PIF, SCR, or ZIP attachment. Attachment filenames discovered to date are as
follows:
• body.zip
• data. EXTENSION TYPE
• doc. EXTENSION TYPE
• document.zip
• document.pif
• doc.scr
• file.zip
• message.pif
• message.zip
• oia.zip
• readme.exe
• readme.zip
• text.zip
It appears that the first part of the filename shown above can be combined with all extension types associated with this worm. For
example, readme.zip may also result in readme.exe, readme.pif, and others associated with this randomization routine.
When the malicious attachment is executed, the worm opens notepad.exe and displays randomized characters in a new window.
Meanwhile, the worm creates a copy of itself on the local computer. This file has a notepad icon to make it appear safe to the average
user. It may create a copy of itself in the Windows System directory as taskmon.exe, and on the Desktop as Document.scr. A DLL file is
also created in the Windows System directory, shimgapi.dll (4,096 bytes).
T
o spread as a P2P worm, it creates a copy of itself in the KaZaA shared directory. Filenames may also be given to the worm created in
the KaZaA P2P shared directory, with randomized filenames. These files have a BAT, EXE, PIF or SCR extension and the following
names: winamp5, icq2004-final, activation_crack, strip-girl-2.0bdcom_patches, rootkitXP, office_crack, and nuke2004. For example,
winamp5.pif may be created by the worm in the KaZaA P2P shared directory.

Jaden

Lads/Ladies this one is bad. I've had dozens of hits in the last few hours. The .ZIP variation is a tricky one. Inside Winzip or 7-Zip the attachment looks OK, because the true extension is hidden.

One local machine was infected before we downloaded the 4319 DATs.

Be careful, if in doubt quarantine all attachments, you don't want this on yer LAN.....

theciscokid

poor sco

Jaden

Right, clean so far, but this is what I've done to stay so:

4319 definitions on forced update on all client machines.
AVG Updated on a PC by PC basis.

To try and stop it getting in through the mailserver:

All ZIP files quanantined.

Word search in body of e-mail for "Unicode characters" or "Mail transaction failed", move these to quarantine area.

Any others?

Gillie

Shes a bitch!

Villain

Well looks like we caught this baby in time, 4319 is now 90% implemented so should be plain sailing from here on in.

This seemed to spread very quickly and catch the Virus fighting organisations unaware.

Has anyone been caught badly with it?

Ryaner

the server virus scanner in my work picked it up before it got into my email. Lucky I'm guessing. It somehow managed to email itself to my address my reading the address from my system. It was sent to an address that has NEVER been given out to anyone before.

Gillie

Interesting:

http://www.sophos.com/virusinfo/articles/mydoombounty.html

b3t4

Hey,

Was just watching the 9oclock news on RTE and the guy that was speaking(didn't catch his name) spoke of the fact that SCO were involved with the whole law suit thing with Linux and the linux community were not happy. From what he said it looks to me that SCO are trying to land this worm on the linux community. What's going on with that??
Surely not....
A.

Capt'n Midnight

The virus is set to launch an attack on SCO in feb.

Goodshape

This thing effect Linux at all?

zAbbo

Originally posted by Goodshape
This thing effect Linux at all?

Not in any direct fashion

Goodshape

Didn't think so. Feckin' windose users anyway... I''ve got about 200 of these things clogging up my mailbox everyday since monday :mad:

Ryaner

I've just read that the virus is started attacking microsoft. Havent read the story yet but still funny

Villain

Originally posted by Ryaner
I've just read that the virus is started attacking microsoft. Havent read the story yet but still funny

Yea there was another version of the worm released yesterday, MyDoom.B it's code is designed to begin an DDOS (Denial of Service) attack on Microsoft on the 1st Feb, and end on the 12th Feb.

It appears that the first instance of the Worm was in Russia!!!!

But there is also links to the Philippines.

leeroybrown

Two linux mail servers I admin are detecting a minimum of 50 times more than is normally the case. I checked my mail after a few days away from a PC and found that I had a vast number of reports in my spool.

Needless to say the procmailrc was very quickly modified.

Commissar

Originally posted by irish1
it's code is designed to begin an DDOS (Denial of Service) attack on Microsoft on the 1st Feb, and end on the 12th Feb.

I was wondering, how effective could this debial-of-service attack be if the targets are aware of it and taking measures to protect themselves? Thanks.

Obviously I don't knopw much about viruses.:rolleyes:

MadKevo

Originally posted by Commissar
I was wondering, how effective could this debial-of-service attack be if the targets are aware of it and taking measures to protect themselves? Thanks.

Obviously I don't knopw much about viruses.:rolleyes:

...maybe by deflecting the attack to some linux sites:

http://www.theinquirer.net/?article=13913