Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

MyDoom Worm hitting hard and fast

  • 27-01-2004 7:30am
    #1
    Registered Users, Registered Users 2 Posts: 15,956 ✭✭✭✭


    Well I was working the night Shift tonight and we got hit hard with this worm, we ended up having to block litterally every attachment until we can get the 4319 dat file onto our servers and pc's.

    The worms details are:

    Mydoom.A Worm Rampant in the Wild: Mydoom.A, aka Novarg, Shimg, and MiMail.R, is a new randomized e-mail worm that
    spreads via e-mail and P2P networks, installing a backdoor Trojan horse. It ranges in size, with file sizes such as 22,646 bytes and
    22,528 bytes. Over 100,000 interceptions of Mydoom have been made in just a few hours.
    E-mails sent by Mydoom.A have randomized subject, body and attachment characteristics. Mydoom may have a multithreaded SMTP
    engine, opening several threads at once to rapidly spread in the wild.
    Subjects are randomized, but include strings such as "error", "HELLO", "hi", "mail delivery system", "mail transaction failed", "server
    report", "status" and "test". The body is also randomized, with text such as the following:
    • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
    • The message contains Unicode characters and has been sent as a binary attachment.
    • Mail transaction failed. Partial message is available.
    • test
    Randomized attachments may have a BAT, CMD, EXE, PIF, SCR, or ZIP attachment. Attachment filenames discovered to date are as
    follows:
    • body.zip
    • data. EXTENSION TYPE
    • doc. EXTENSION TYPE
    • document.zip
    • document.pif
    • doc.scr
    • file.zip
    • message.pif
    • message.zip
    • oia.zip
    • readme.exe
    • readme.zip
    • text.zip
    It appears that the first part of the filename shown above can be combined with all extension types associated with this worm. For
    example, readme.zip may also result in readme.exe, readme.pif, and others associated with this randomization routine.
    When the malicious attachment is executed, the worm opens notepad.exe and displays randomized characters in a new window.
    Meanwhile, the worm creates a copy of itself on the local computer. This file has a notepad icon to make it appear safe to the average
    user. It may create a copy of itself in the Windows System directory as taskmon.exe, and on the Desktop as Document.scr. A DLL file is
    also created in the Windows System directory, shimgapi.dll (4,096 bytes).
    T
    o spread as a P2P worm, it creates a copy of itself in the KaZaA shared directory. Filenames may also be given to the worm created in
    the KaZaA P2P shared directory, with randomized filenames. These files have a BAT, EXE, PIF or SCR extension and the following
    names: winamp5, icq2004-final, activation_crack, strip-girl-2.0bdcom_patches, rootkitXP, office_crack, and nuke2004. For example,
    winamp5.pif may be created by the worm in the KaZaA P2P shared directory.


Comments

  • Registered Users, Registered Users 2 Posts: 2,393 ✭✭✭Jaden


    Lads/Ladies this one is bad. I've had dozens of hits in the last few hours. The .ZIP variation is a tricky one. Inside Winzip or 7-Zip the attachment looks OK, because the true extension is hidden.

    One local machine was infected before we downloaded the 4319 DATs.

    Be careful, if in doubt quarantine all attachments, you don't want this on yer LAN.....


  • Closed Accounts Posts: 1,006 ✭✭✭theciscokid


    poor sco :p


  • Registered Users, Registered Users 2 Posts: 2,393 ✭✭✭Jaden


    Right, clean so far, but this is what I've done to stay so:

    4319 definitions on forced update on all client machines.
    AVG Updated on a PC by PC basis.

    To try and stop it getting in through the mailserver:

    All ZIP files quanantined.

    Word search in body of e-mail for "Unicode characters" or "Mail transaction failed", move these to quarantine area.

    Any others?


  • Registered Users, Registered Users 2 Posts: 3,640 ✭✭✭Gillie


    Shes a bitch!


  • Registered Users, Registered Users 2 Posts: 15,956 ✭✭✭✭Villain


    Well looks like we caught this baby in time, 4319 is now 90% implemented so should be plain sailing from here on in.

    This seemed to spread very quickly and catch the Virus fighting organisations unaware.

    Has anyone been caught badly with it?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,714 ✭✭✭Ryaner


    the server virus scanner in my work picked it up before it got into my email. Lucky I'm guessing. It somehow managed to email itself to my address my reading the address from my system. It was sent to an address that has NEVER been given out to anyone before.


  • Registered Users, Registered Users 2 Posts: 3,640 ✭✭✭Gillie




  • Closed Accounts Posts: 1,325 ✭✭✭b3t4


    Hey,

    Was just watching the 9oclock news on RTE and the guy that was speaking(didn't catch his name) spoke of the fact that SCO were involved with the whole law suit thing with Linux and the linux community were not happy. From what he said it looks to me that SCO are trying to land this worm on the linux community. What's going on with that??
    Surely not....
    A.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    The virus is set to launch an attack on SCO in feb.


  • Registered Users, Registered Users 2 Posts: 8,488 ✭✭✭Goodshape


    This thing effect Linux at all?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 11,987 ✭✭✭✭zAbbo


    Originally posted by Goodshape
    This thing effect Linux at all?

    Not in any direct fashion


  • Registered Users, Registered Users 2 Posts: 8,488 ✭✭✭Goodshape


    Didn't think so. Feckin' windose users anyway... I''ve got about 200 of these things clogging up my mailbox everyday since monday :mad:


  • Registered Users, Registered Users 2 Posts: 1,714 ✭✭✭Ryaner


    I've just read that the virus is started attacking microsoft. Havent read the story yet but still funny


  • Registered Users, Registered Users 2 Posts: 15,956 ✭✭✭✭Villain


    Originally posted by Ryaner
    I've just read that the virus is started attacking microsoft. Havent read the story yet but still funny

    Yea there was another version of the worm released yesterday, MyDoom.B it's code is designed to begin an DDOS (Denial of Service) attack on Microsoft on the 1st Feb, and end on the 12th Feb.

    It appears that the first instance of the Worm was in Russia!!!!

    But there is also links to the Philippines.


  • Closed Accounts Posts: 7,563 ✭✭✭leeroybrown


    Two linux mail servers I admin are detecting a minimum of 50 times more than is normally the case. I checked my mail after a few days away from a PC and found that I had a vast number of reports in my spool.

    Needless to say the procmailrc was very quickly modified.


  • Registered Users, Registered Users 2 Posts: 354 ✭✭Commissar


    Originally posted by irish1
    it's code is designed to begin an DDOS (Denial of Service) attack on Microsoft on the 1st Feb, and end on the 12th Feb.

    I was wondering, how effective could this debial-of-service attack be if the targets are aware of it and taking measures to protect themselves? Thanks.

    Obviously I don't knopw much about viruses.:rolleyes:


  • Closed Accounts Posts: 191 ✭✭MadKevo


    Originally posted by Commissar
    I was wondering, how effective could this debial-of-service attack be if the targets are aware of it and taking measures to protect themselves? Thanks.

    Obviously I don't knopw much about viruses.:rolleyes:


    ...maybe by deflecting the attack to some linux sites:

    http://www.theinquirer.net/?article=13913


Advertisement