(Another) MyDoom variant
Results 1 to 2 of 2

Thread: (Another) MyDoom variant

  1. #1

    (Another) MyDoom variant

    Being reported by the Internet Storm Center (because it appears to impact on Yahoo!) - see here .

    Handlers Diary August 3rd 2004
    Updated August 3rd 2004 16:09 UTC (Handler: Tom Liston)
    * New MyDoom In The Wild
    New MyDoom On The Loose

    Initial analysis (we will update as we know more):

    Currently (16:00GMT), signatures are not yet available.

    Targets Yahoo's people search:

    http://email.people.yahoo.com:80/py/psSearch.py?

    Message subjects(?):

    SN: New secure mail
    SN: New secure mail
    Secure delivery
    Secure delivery
    failed transaction
    failed transaction
    Re: hello (Secure-Mail)
    Re: hello (Secure-Mail)
    Re: Extended Mail
    Re: Extended Mail
    Delivery Status (Secure)
    Delivery Status (Secure)
    Re: Server Reply
    Re: Server Reply
    SN: Server Status
    SN: Server Status


    Message body contains(?):

    Automatically Secure Delivery: for
    Automatically Secure Delivery: for
    Mail Delivery Server System: for
    Mail Delivery Server System: for
    Extended secure mail message available at:
    Extended secure mail message available at:
    Secure Mail Server Notification: for
    Secure Mail Server Notification: for
    New mail secure method implement: for
    New mail secure method implement: for
    New policy requested by mail server to returned mail
    as a secure compiled attachment (Zip).
    New policy requested by mail server to returned mail
    as a secure compiled attachment (Zip).
    Now a new message is available as secure Zip file format.
    Due to new policies on clients.
    Now a new message is available as secure Zip file format.
    Due to new policies on clients.
    This message is available as a secure Zip file format
    due to a new security policy.
    This message is available as a secure Zip file format
    due to a new security policy.
    For security measures this message has been packed as Zip format.
    This is a newly added security feature.
    For security measures this message has been packed as Zip format.
    This is a newly added security feature.
    New policy recommends to enclose all messages as Zip format.
    Your message is available in this server notice.
    New policy recommends to enclose all messages as Zip format.
    Your message is available in this server notice.
    You have received a message that implements secure delivery technology.
    Message available as a secure Zip file.
    You have received a message that implements secure delivery technology.
    Message available as a secure Zip file.
    This message is an automatically server notice
    from Administration at
    This message is an automatically server notice
    from Administration at
    Server Notice: New security feature added. MSG:ID: 455sec86
    Server Notice: New security feature added. MSG:ID: 455sec86
    New feature added for security reasons
    New feature added for security reasons
    Automatically server notice:,
    Server reply from
    Automatically server notice:,
    Server reply from
    New service policy for security added from
    New service policy for security added from


    The executable contains the following names (to what purpose, we are currently unsure):
    Johnson, Williams, Wilson, Taylor, Anderson, Thomas, Jackson, Parker, Hernandez, Gonzalez, Roberts, Patricia, Margaret, Elizabeth, Anthony, Daniel, Patrick, Douglas, Carlos, Sanchez, Howard, Washington, Walter, Robinson, Miguel, Jennifer, Alberto, Mathew, Taylor, Walker, Mitchell, Carter, Nelson, Brooks, Jenkins, Coleman, Flores, Griffin, Morris, Rogers, Barbara, Angela, Amanda, Pamela, Martha, Frances, Cynthia, Stephanie, Nicole, Andrea, Rebeca, Steven, Anthony, George, Michael, Isabel, Marcos, Camilo, Salomon, Esteban, Francis, Nicholas, Samuel, Angela, Catherine, Susanna, Dorothy, Elizabeth, Andrew, Philip, Hester, Edward, Martin, Gabriel, Christopher, Lawrence, Christian, Christ, Dorcas, Rowland, Cecily, Margery, Turner, Torres, Brooks, Harrison, Gibson, Pierce, Arnold, Watkins, Medina, Mendoza, Santiago, Christina, Norris, Santos, Burgess, Valdez, Barber, Patton, Ortega, Estrada, Waters, Ashlee, Parson, Sparks, Morton, Allison, Monique, Summers, Cortez, Barton, Deleon, Harrell, Navarro, Woodard, Meyers, Petersen, Vannessa, Douglas, Joanna, Judith, Bridget, Jessica, Jeffrey, Timothy, Shirley, Kimberly, Sandra, Melissa, Virginia, Dennis, Junior, Heather, Collins, Garcia, Miller, Barton, Bridget, Gillian, Ursula, Hannah, Cooper, Watson, Bennett, Sanders, Ramirez, Bailey, Murphy, Campbell, Barnes, Alexis, Samantha, Madison, Joshua, Charles, Clinton, Lincoln, Houston, Claudia, Britney, Carson, Spider, Laster, Jolley, Galvin, Alecia, Karrie, Ivette, Freeman, Hunter, Simpson, Hamilton, Knight, Mcdonald, Elliott, Bradley, Duncan, Weaver, Fields, Chapman, Kelley, Wagner, Jacobs, Stanley, Fuller, Newman, Lambert, Cummings, Leonard, Barker, Norris.
    Haven't seen it yet though.

  2. #2
    Banned
    Join Date
    Nov 2003
    Posts
    12
    The attack echoes the MyDoom-O worm's use of the Google, Yahoo, Lycos and Altavista search engines last week, which resulted in millions of users being unable to search the web using Google.

    The MyDoom-Q worm arrives as an email attachment, and will scour files on the infected user's hard drive for other email addresses to which to send itself. However, it will then use the People Search facility of the Yahoo website (people.yahoo.com) to try and find additional email addresses.

    "Copycat viruses are all the rage in the cybercrime underworld, so you didn't have to be psychic to predict the release of more worms trying to scoop up email addresses from search engines. Unfortunately, we expect to see other worm authors trying similar tricks in the future," said Graham Cluley, senior technology consultant for Sophos. "All internet users should do their bit to ensure they are not passing on infected files by using up-to-date anti-virus software and exercising great caution when receiving unsolicited email attachments."
    With the source code so public im surprised there hasn't been heaps more versions of MyDoom.......simply by typing "MyDoom-A Source code" at google gets it the 3rd on the list with a site containing the full source......i would've thought with that there'd be a hell of a lot more myDoom varients.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •