New variant: W32/Mydoom-O
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: New variant: W32/Mydoom-O

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    New variant: W32/Mydoom-O

    Yeah! Another variant. None of my virusscanners detected the sucker...
    But fortunately I have a build in virusdetector in my head
    I submitted it to McAfee and they told me it was a new detection.
    You'll need the 4381 DAT which will be released on the 28th.

    It arrived by email but the body text was unreadable. It looks like it uses a different characterset but the mime-type was set to us-ascii. Needless to say the text is unreadable.
    The attachment is a zipfile which in turn contains another zipfile. This zipfile contains a readme.bat but is actually an executable.

    I only found some info on the McAfee site. I guess the others will follow shortly.

    http://vil.nai.com/vil/content/v_127033.htm
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    If I'm reading this right, then in order to unleash it on your system you have to...unzip it, then unzip the unzipped package...and then double-click on the .bat file? How the hell is it supposed to infect anybody? People are lazy, nobody but the most curious dumbass would go to that much trouble to get at a file that came in some random email.

  3. #3
    Internet Storm Center is reporting that MyDoom.O is querying Search Engines for more email addresses. Google is partly down at the moment as a result.

    http://isc.sans.org/diary.php?date=2004-07-26

  4. #4
    Never underestimate the power of stupidity keezel. If there's a way for it to infect, some users will manage to get infected. Such is the awesome power of the "Ooh! What's this do?" factor.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    It's on Symantec's site now as a level 4.

    http://www.symantec.com/avcenter/ven...doom.m@mm.html

    Hopefully it makes the news tonight so people hear about it. As an IT person, you can tell them all about it and the don't care but once it's on the news everyone wants to know what we're doing about it.

    http://www.thestar.com/NASApp/cs/Con...l=969048863851
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  6. #6
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    4381 is already out. i've seen a couple of these still coming through our gateway though, netshield isnt stopping it for some reason. i've even got 4381. when i was reading the email the guy opened and pointed out what he opened i saw the text was all mostly squares 'n jibberish. still people manage to open it :-/.

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It's the 21st century version of "The curiosity killed the cat".

    If you really look into it you'll notice a lot of viruses don't even abuse some bug in the mailprogram and/or the OS. Their "makers" rely on this drive to find out what will happen? This is also a way so called 'safer' OSs can and wil get infected. You don't need that much privileges to wreak havoc.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Banned
    Join Date
    Jul 2004
    Posts
    297
    The copies of w32.mydoom i saw to day were not zip files, they were bogusfilename.zip.pif biniary attachments. me "did you get an email from us saying your were cought doing somethinglike spamming " them "yes" me"did you open it" them "yes" me "did you open the attachment" them "yes" them "this is bad huh" me "yes"

  9. #9
    whatthe: didn't I mention that already?

    spamdies: we're already stripping off executables like .scr, .pif, .exe at the mail relay like a lot of outfits, so most people would only see the .zip as that's deemed to be "safe". Yesterday we turned blocked .zip attachments and we can't really decide if we want to turn them on again..

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    dynamoo, what do you use to filter?

    We use a content-scanner that looks at the actual file. They can spoof all the mimetypes and/or extensions however they want it, it doesn't fool our CS. It is even able to detect the executable within a zip within a zip This really helps. If I spot something that wasn't detected by the virusscanner (virusscanning happens first) it'll end up marked as executable and blocked. I keep an eye on all the blocked executables, that's how I've detected numerous new viruses. I can smell them a mile away
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •