| Author |
MyDoom Virus |
glasgow.uk
Joined: Mar 24, 2003
Posts: 358
From: Glasgow
PM, WWW
|
ITS COMING ! ! !
This message was posted from a P800 | |
|
mwright
Joined: Jun 21, 2003
Posts: > 500
From: UK
PM |
I know! I got hit before I updated my AV!
This message was posted from a T610 |
RMskater
Joined: Oct 12, 2003
Posts: 166
From: Califonia, but now I live in P
PM, WWW
|
What the heck is this doom virus?
Ethan
[addsig] |
bionrg
Joined: Dec 16, 2003
Posts: 118
From: NL
PM |
Simply open your 'trusted' emails in ASCI mode...
The rest of the mails you didn't ask for can go straight to trash.
This message was posted from a T610 |
mobman
Joined: Sep 23, 2003
Posts: > 500
From: Manchester UK
PM |
eh? what kind of virus is this?
This message was posted from a P900 |
gelfen
Joined: Nov 22, 2003
Posts: > 500
From: Melbourne, Australia
PM |
taken from ZDNet Australia
Gloomy forecast for MyDoom fallout
By Robert Lemos, Special to ZDNet
28 January 2004
The mass-mailing MyDoom virus has become the fastest spreading program to date and the damage could continue for months or years.
The virus, also known as Novarg and Mimail.R, spread quickly across the Internet on Monday, traveling as an e-mail attachment and infecting PCs whose users opened the malicious file.
When opened, the virus installs a stealth program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the system into a bounce point, or proxy, for any network-based attack.
The virus has programmed infected PCs to send data to the SCO Group's Web server between February 1 and February 12. The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.
Perhaps more troubling is the fact that other online vandals could route new attacks through the infected PCs, said Alfred Huger, senior director of engineering for security software firm Symantec.
"For people that handle incident response, (the proxies) will cause problems," he said. Attackers can use the proxies to hide their real locations, making it very difficult to trace the origin of an online assault. "This is going to hang around and hound us for a long time--if Code Red is any indication, for years."
The Code Red worm infected Windows computers running Microsoft's Web server software, called Internet Information Server. While the primary infection hit in July 2001, tens of thousands of computers remain infected with the worm, which is still scanning the Internet looking for vulnerable systems to infect.
The effects of the massive spread of the MyDoom virus have already been felt.
The virulent program has flooded the Internet with e-mail messages bearing the program, doubling the time it takes most major Web sites to deliver a page. About one in every 12 messages being sent through the Internet contains the virus, said e-mail service provider MessageLabs. The previously most prevalent mass-mailing virus, called Sobig.F, only accounted for one out of every 17 e-mail messages.
"This is the most aggressive that we have seen to date," said Mark Sunner, chief technology officer for MessageLabs, which filters e-mail for corporate customers. However, Sunner believed that the infection rate of the virus had begun slowing by Tuesday afternoon. "It has had one cycle around the world, so it's likely that it's peaked." In the first 27 hours of the infection, MessageLabs quarantined more than 1.5 million messages that included the virus.
The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP, and arrives in the user's in-box as an attachment to an e-mail message that appears to be an error response from an e-mail server.
The message sports one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment." and "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
The Web site for SCO Group, the target of the virus, was slow to load on Monday and Tuesday, a SCO spokesperson acknowledged. The site has had intermittent problems responding to requests over the past two days, according to Internet performance measurement firm NetCraft.
SCO's Web site was knocked offline by denial-of-service attacks several times in the past year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathisers for at least one of the attacks.
The MyDoom virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages with one of seven file names: Winamp5, icq2004-final, Activation_Crack, Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and Nuke2004.
Not everyone agreed that the attack tools installed on infected systems will have a significant impact on Internet security. With the large number of PCs with poor security, MyDoom-infected computers will be a drop in the bucket, said Vincent Gullotto, vice president of antivirus research for security software company Network Associates.
"There are lots and lots of people that are out there that are compromised today," he said. "I think the mass-mailing part will have more of an impact."
other ZDNet articles relating to MyDoom can be found at the following links:
FBI launches MyDoom probe
Kazaa refuses to share with MyDoom
|
GodzRekordz
Joined: Jun 11, 2003
Posts: 46
From: The Cold Cold North
PM |
Hope This Helps
*Edit* @gelfen I thought I was the only one up!
Win32.Mydoom.A
Also known as:
Win32/Shimg
W32/Mydoom@MM (McAfee)
W32.Novarg.A@mm (Symantec)
Category: Win32
Type: Worm
Wild: High
Destructiveness: High
Pervasiveness: High
January 26, 2004
*****************************************************
For more information, please visit the Win32.Mydoom.A description in our Virus Encyclopedia.
Cleaning Utility Available:ClnShimg.zip - a utility that cleans a local machine affected by Win32.Mydoom.A
http://www3.ca.com/Files/VirusInformationAndPrevention/clnshimg.zip
Warning: Before running ClnShimg.com, please ensure that you carefully review the ReadMe.txt instruction file that accompanies this utility.
--------------------
Win32.Mydoom.A is a worm spreading via e-mail and the Kazaa P2P file sharing network. The worm has been distributed as 22,528-byte, UPX-packed Win32 executable and may be included in a ZIP archive.
Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension. The From address is 'spoofed'.
The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:
Error
hello
HELLO
hi
Hi
Mail Delivery System
Mail Transaction Failed
Server Report
Status
The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:
Data
Readme
Message
Body
Text
file
doc
document
Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.
When performing its mass-mailing routine, the worm finds destination e-mail addresses by searching files with the following extensions:
adb
asp
dbx
htm
php
sht
tbb
txt
wab
Via P2P File Sharing
The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5
Possible extensions are:
bat
exe
pif
scr
The worm is coded to stop spreading on February 12, 2004 (it will stop send e-mails and spreading through KaZaA). However, even if the worm is executed after this date, it will still drop shimgapi.dll and activate the backdoor.
Method of Installation
When executed, the worm copies itself to the %System% directory as taskmon.exe and modifies the registry in order to run at the next system re-start:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunTaskMon = "%System%taskmon.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.
The worm also creates a file called SHIMGAPI.DLL in the %System% directory. The dropped DLL registers itself in the registry:
HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32[Default] = "%System%shimgapi.dll"
When executed, the worm creates the mutex "SwebSipcSmtxS0" in order to make sure only one copy of the worm runs at a time.
When the worm is executed for the first time it creates the file "Message" in the user Temp folder and displays it using Notepad.
Payload
Backdoor Functionality
Win32.Mydoom opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199)
Denial of Service
The worm attempts to perform a Denial of Service attack against http://www.sco.com. The attack is timed to be performed between the 1st and 12th of February, 2004.
[ This Message was edited by: GodzRekordz on 2004-01-28 02:18 ]
[ This Message was edited by: laffen on 2004-01-28 15:32 ] |
skin
Joined: Nov 10, 2003
Posts: 136
From: Stoke-on-Trent, UK
PM |
I've received three emails in the last hour, all containing an infected attachment!! Thank God for Anti-Virus Software and regular virus updates!!!
This message was posted from a T610 |
Alf Nif
Joined: Dec 01, 2003
Posts: 426
From: Sweden
PM |
I still blame Microsoft on the kinds of virus-files which are called
Sexy image.jpg.pif since it's standard for Windows to not show the end of the file.
When the mail comes it will then look like "Sexy image.jpg" is attached and some idiots thinks it's an image and opens it.
BAM! There goes a virus
Alf Nif
formerly known as seiunUsagi |
blase
Joined: Jan 08, 2004
Posts: 7
PM, WWW
|
Yes. Email with virus- Subject: TEST
This message was posted from a T300 |
Vlammetje
Joined: Mar 01, 2003
Posts: > 500
From: Den Haag
PM, WWW
|
Are you syaing you got it? what is the relevance of your post?
|
Tec9
Joined: Dec 21, 2003
Posts: 263
From: UK / Hungary
PM |
i read about this virus. i think i also read it can send through kazaa or did i misread
|
Cycovision
Joined: Nov 30, 2003
Posts: > 500
From: England
PM, WWW
|
Yeah, it spreads via Kazaa too.
Spreading: KaZaA
Worm copies itself into KaZaA directory with following names:
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5
|
gelfen
Joined: Nov 22, 2003
Posts: > 500
From: Melbourne, Australia
PM |
Kazaa refuses to share with MyDoom
By James Pearce, ZDNet Australia
28 January 2004
The MyDoom virus will not spread through the shared folders of users of the latest Kazaa programs, with Sharman Networks using peer-to-peer technology to protect against the virus.
MyDoom is presently distributing more e-mails than the notoriousSoBig worm. Anti-virus vendor Central Command claims 1 in 9 e-mails contains the MyDoom virus, while managed e-mail provider MessageLabs puts the figure at 1 in 12. MyDoom also copies itself to the Kazaa download directory on a computer which has the file-sharing program loaded, using one of seven file names: Winamp5, icq2004-final, Activation_Crack, Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and Nuke2004.
However, the latest versions of Kazaa include an antivirus program called BullGuard which is set to run by default. "It regularly checks for updated virus definitions," Phil Morle, director of technology, Sharman Networks told ZDNet Australia . "It periodically scans users shared files and checks files as they are downloaded."
"We distribute the virus definitions via peer-to-peer, which allows us to give it to the users at no cost," said Morle. During one virus outbreak 10 Terabytes of anti-virus definitions were distributed over the p2p network in a week, according to Morle. "It's extremely efficient, so the users got it very fast," he said.
BullGuard does not scan e-mails for viruses and will not disinfect the users' computer. Sharman Networks recommends running a full anti-virus program to protect against viruses distributed via e-mail.
|
Tec9
Joined: Dec 21, 2003
Posts: 263
From: UK / Hungary
PM |
so as i read it, it cant go through kazaa, wow a terabyte, is that one up from giga?
| |
|
Access the forum with a mobile phone via esato.mobi
|
Posted: 2004-01-28 00:32
