3 replies to this topic

[AplusWebMaster]

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-07-26
Updated July 26th 2004 19:30 UTC
"...The latest version of MyDoom, which started arriving in peoples mail boxes in force today, uses search eninges to find more recipients for its message. Once the virus is started, it searched the users files for domain names. Once it spotted a domain name (e.g. '@example.com', or in 'www.example.com'), it will search various search engines for valid e-mail addresses within these domains. These search engines include Lycos, Google, Altavista, Yahoo and possibly others...Google and Lycos appear to have problems responding to queries as a result...Antivirus vendors are currently publishing updated signature files. Please update ASAP. Infected machines can be identified by looking for excessive traffic to search engines and smtp traffic. The virus is UPX packed..."

(...and is responsible for jamming much of the web today)

--------------------------------

EDIT/ADD:
Symantec has developed a removal tool - updated to cover W32.Mydoom.M@mm
- http://securityrespo...moval.tool.html
Last Updated on: July 26, 2004 02:36:26 PM PDT

Edited by apluswebmaster, 26 July 2004 - 04:47 PM.

[AplusWebMaster]

FYI...

MyDoom-O hits search engines hard
- http://isc.sans.org/...date=2004-07-26
Updated July 27th 2004 01:25 UTC
"Overview
The latest version of MyDoom, which started arriving in peoples mail boxes in force today, uses search engines to find more recipients for its message. Once the virus is started, it searched the users files for domain names. Once it spotted a domain name (e.g. 'example.com'), it will search various search engines for valid e-mail addresses within these domains. These search engines include Lycos, Google, Altavista, Yahoo and possibly others. Some of the search engines, in particular Google and Lycos, had problems handling the large number of queries. As a result, the search engines did not return any result, or returned error messages. These MyDoom e-mails arrive in a number of different forms. Some claim to be a bounce caused by a message the user sent earlier, others claim to be a message from the users ISP claiming that the user sent spam and should run the attached file. The virus may be zipped or a plain executable...
Details
MyDoom creates the executable files C:\Windows\services.exe and java.exe, and executes them..."

>>> (More complete up-to-date details - please use the link!)

[AplusWebMaster]

FYI...

- http://isc.sans.org/...date=2004-07-26
Updated July 27th 2004 15:11 UTC
"...Symantec reports that the 'Zindos.A' backdoor dropped by MyDoom-O is used by a worm that will attempt to DDOS microsoft.com. Infected systems will start the DDOS right after the worm is installed and will scan for other vulnerable systems. Infected systems can easily be identified by looking for port 1034 TCP scans..." ( http://isc.sans.org/...s.php?port=1034 )

Removal tool
- http://securityrespo...moval.tool.html
Last Updated on: July 27, 2004 12:00:11 AM PDT

Also see:
- http://www.sarc.com.....zincite.a.html
Last Updated on: July 27, 2004 10:50:15 AM
- http://securityrespo...ydoom.m@mm.html
Last Updated on: July 27, 2004 12:51:55 PM

[AplusWebMaster]

FYI...

Zindos Worm Analysis
- http://www.lurhq.com/zindos.html
"Zindos is a worm that piggybacks on MyDoom.M/O infections..."


.