Destructive variant of Mydoom loose

Sleipnir

A new variant of MyDoom worm - Mydoom.F was found on February 20th, 2004

It is functionally similar to the original variant but it does not attack www.sco.com. Mydoom.F tries to perform a Distributed Denial-of-Service attack on www.microsoft.com and also www.riaa.com.

In addition to the Distributed Denial-of-Service attack the worm tries to delete several file types from the victim's hard drive such as pictures, movies and MS Office documents.

The worm's code in charge of that is the same that harvests e-mail addresses. It will check every drive from 'C' to 'Z', and for each of the folders on those, it will go through each file, performing the following actions:


When copying itself, the worm will overwrite part of its executable with random data. Starting from 28000 bytes from its beginning it will write a 1 kB chunk of random data, making the file seem variable.

Some of the strings are scrambled using the same method as in the original Mydoom, ROT13.

It will add an entry in the registry in:


[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]


or, if failed in


[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]


containing:


<random string> = %sysdir%\<random string>.exe

gurramok

Yep.
It caused havoc in work, infected about 150 pc's and 4 servers, it deleted alot of data last tuesday 24th and only now has been fully controlled.
(anti-virus update on pc is useless without ppl running the virusscan, auto-dtect didnt help )

Eurorunner

Autoprotect on Nortons has picked up the following in my inbox three times today:
W32.Netsky.D@mm


According to the symantec security response, i would have received this from people who had my email address in their mailing list. Who the hell are these three people:ninja: