MyDoom

Printable View

Show 40 post(s) from this thread on one page

January 27th, 2004, 05:02 PM
jehnx

To answer who asked why it was on Windows: The whole point of this virus, it seems, is to DDoS the SCO site, undoubtedly because of their attacks on Torvalds of recent. Linux users, generally, are much too savvy to 1) download a file attachment they don't know the send of or 2) wait more than one minute to patch their system. But, Windows users a lot of the time leave their computers succeptible to attacks because of a lot of their ignorance, and are thus better targets in this market... basically, the writers think they're too dumb to understand what's going on. ;)
January 27th, 2004, 05:03 PM
DjM

Quote:

Originally posted here by 576869746568617
Not quite, DjM. See my post above. The symantec writeup does indeed say that the virus ignores .edu addresses.

I think that's what I said :confused:

Quote:

Symantec does mention that it will bypass .edu accounts

Cheers:
January 27th, 2004, 05:07 PM
576869746568617

I stand corrected....It's early and my mailserver's ate up like swiss cheese with this blasted worm! I misread your post.

My apologies :)
January 27th, 2004, 05:16 PM
ikalo
Wow... this thing sounds serious.
I didn't catch any worm for last 4 years because:
1. I don't open attachments of any kind if I don't expect them
2. If it is espected, and it is some kind of animated stuff, I duble check it before I start it
3. My AV is checking for updates automaticaly, and install them at once!
4. I check out antivirus sites oftem for fast spreading viruses
5. I run Windows Update at least once per week
And I don't still feel safe... Just remeber that damn Blaster thing...
January 27th, 2004, 05:29 PM
576869746568617

I do pretty much the same, but when the AV updates at one time, and the definitions come out after the update, you still aren't safe. Automation helps, but it's not a cure all.

Oh yeah, all you guys with IDS, here's the IDS signature for the trojan portion of the worm. This one is specific to Symantec IS, Manhunt, and SCS (IDS Signature provided by Symantec)....I'm looking for one one for snort....If I can't find one, I'll write one myself (unless Q.o.D. beats me to it!) I will post it here.
Symantec IDS Signature:

*******************start file********************

alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;)

*************EOF*********************
January 27th, 2004, 05:40 PM
Roach4

eSAFE and Novarg (MyDOOM, mimail.q)

Hi,

We got eSAFE installed and running fine, removing every attachment which contains a zip, exe, bat, and so on...

But here is what we see when eSAFE removes a ZIP attachment containing a threat.

------------------------------------------------------

*** eSafe detected a hostile content in this email and removed it. ***
/readme.zip/readme.txt .pif Msg #705 - The file type pif is on the Restricted List.
T-Ë†Ã·Å½Å*Å’Ã¥d~ÃµIcaÃ¸c;WLÃ³Ã»~rÃ>gLÃ’ Ã«Â¢\RÃ¸i^zâ€¦q<Ã¨0Ã‘{Ë† gDâ€g{Âªe19Ã
&Ã¾Ã¨CÃ–)Ã*Â¿.NÃ¼ZÂµÃNÂ¿Ã¦â„¢Å“Â«Â¯)Âª/JÃ—Ã‡Ã¨sSWÃ™yÃ»m"ÂµÃ³Â¡Ã´Ã¶Â§Â«
KÃ¯iÅ¾rEÂ¹ÃºoÃšHdÂºpÃ·Â§EÃž~Â¯Ã…YÅ*ÃšÃK^{rÂ´ZÃ¹DÂ¼8Ã—Å*F-"Ã½Ã›s}ÃtÂ²â„¢Ã¶7jVÃ©h'Â¶Â½â€žk5EÃ›Ã˜:Ã£mâ€˜bÃ•Ã´oÂ®Ãª*Ã‰$â€“Ã—Ã˜}Â©d}UÃ‹jÃŽÂ¸~â€™Ã£Ã€Ã·Ã¾?Â²-Ã®O|Â²2wfÂ²Å½â€Ã§]ff^&_s9BÃ†Å½Å½-Ã—Ë†6i]â€¦HÃ‹ÂªÃ¬â€”Â«sg
Ã¦PclÃ›Aâ€¢MÃ°%q 8U!RÃÅ*Ã¡â€™4Â¤DÃ*Ã¼wÃ¯_â€žÃ¦â€šMâ€¦Ã“5Ã‹â€¡2%â€žÃ…Ã«0Â¥Ã¨Ã¸Ã¯Ã›.Â«!mvBâ€˜ÃµÃ¼zÃ—Ã¯Ã‰â€¢Ã§Ã‡Ã©Â¯Ã„vÃ®Ã)ÃH_Ã4Å’kÃ»â€šÂ¼ igÅ¸Ã•MÃ¹>Â¾Ã¥2i7Ã±n1`
5Ã¯mÃ¼ÃºZ8Ã³Å’9oÃÂ»y6B\Ã¬r ÃˆÃ‡MXY#Â·Å½Ã²}Ã¢]8ÃƒÃ£ÃÂ¯&ÃŸÃ†YÃ‰-QMo PÃ‡ Ã•
Ã…Ã¼lÃ™Ãâ€˜jÃ¡PPÃ¶Ã*Ã¾wÃ±JÂ½C%XÂ¿Â»Ã¬â€šÂ¯#Ã’â€“ Ã±}GÃ˜Ã«Â¨27SÃ²ÃŸ|$ Ã¼cC~-AÃŠK~YÃ“Â¸Ã”PÃâ€gmÃ‘QxLâ€* oâ€¡Å¸|UTÃ,]~â€°Å¡ÃŠâ€™Â²[Ã§Ã–-3â€¢Â¿Â±Ã ÃVÃˆÃ¼ÃŽyAÂ³Ã°]ÃžRM/Ã*rÃ›^Ã¹Ã‘Â½â€žn>Â®8â€“â€šÂ¿Zâ€;;Ã‘Â¢*MIÂ¡}vÃŒokâ€œ
~0Ã¨ÃªÃ§ Ã• |`Ã³~Â©)
Ã¹a:ÃªÂ³Â«Z3Ã³~Ã–â€Â¥BUÃˆzÃ„Ã—_&Â¶$Å*
Ã*,FÂ¤Ã§
!Â¿(ÃµÃ€Â®Ã›ÃžÅ’Æ’Ã–Å½87â€°jÃÃŒÂ¾C kÃ½Â©tm{Ã‡Â·zÃµ?Â©SÅ¡/Ã©â€œÂ·<ÃÃŒÂ´Å¾yÃ£4ÃœmÃ°LÃ*Ã³Æ’Ãœ[D?orâ€¹1TÃ‰|QHÂ¹Â·&Â¸ CgYGÃœâ€“Â¼Â´OEÂ¢LÃ·!ÃŸÂ³â€“,Â©|(VÃ“Ë†&Ã‹Å½ÃÃ´Ã•Ë† Ã]Ã°Ã«;sÃº#}Ã‹`Ã‹Â±Z&Â§Ã„â€Â¸{$Å“1,Ã». Â»w}4â€¹Ã¦Å¸Ã‡Ã©Ã‹ZFÃ¶ÃœYÂ© Â²qÃšÃ„# Ã¶Ë†qÃ©Â®~^ÃŒ2 Ã˜Ã€Â¢â€¡Â¢Â«nÃ¹A'Ã«ÃšzÃŠ1Ã„8ZÃ†BÃ¼6wb&â€¦ Â¬aâ€”;PÃ¥Æ’yÃˆâ€¡mÃ¸~Å¡Ã“0Â¼Â¾Ã±Ã¶â€˜Ã©VÂ¨MÃµÃ™
~,Ã„)Ã¼mFsÃŠâ€°/mÃ¯Ã³Â¿ <#â€˜â€žiÃ*Ã¹ÃŸÃ€Ã½kwÃ‘lÃ¾DÂ±SÂ¬Ã€BÃªEÃ¯Â¼_CÂ·ÃŒyXÂ¶~Ã¾Ã°Ã¶Â«Ã´oÂºâ€œCÃ™Ã*BÂ¯â€“Ã—}Sâ€¹Ã¦Â¬#Â¢â€˜qÂ£Ã²Ã;â€°â€™ Ã²Ã‰< ÃˆÃ†SVÂ¬>Â°ÃŸY~Â¬yTÃ¡ÃˆpÃ·F Ã·?Ã¢Ãšc141Â·Â¢!8ÂµÃ°RFEÂ®Ã¨ â€°Z)ÃžÃhÂ¸Ã¦)Ã«Â§~Å½â€”7ZWâ€˜Å¡ÃªÃ§jâ€žÃŸÃÃ‹sBÃ‡ÃÃ³ÃªÂ¶sÂ¨â€¢cÂ¸Ã²wÅ*Â¿Ã¶Â°Q:Â²Â°|bÃ¯kâ€˜Â¶Ã™SÃŠÃ€Ã›â€¢
Â°â€”Ã½Ã‹Â¥tÂ´yhYÃƒÂ¿VÃ¨~cÂ½
Ã²oÅ¾T^Ã´*Å“fÃ˜^â€¢â€¦yÃ*â€š>Â®Â»Ãª Ã€Â¨Tâ€™
â€¢B;hÃ‹]MÂ£.Â©ÃfÃŸxÂ½IPâ€šÃž&Â·ÃÅ¸Å¡.Ã¾Â±Â¹'Ã{Ã—Ã*xÃ€?%Ã©g<Y-â€œfÃ»0:MÃ‡ShÃ¹Ã½â€žÃ¥Ã¢Ã®p ÃªÃ„Â£#;ÃºÃ¤-â€°NÂ¬ ÃœÃ†TÃºÆ’Ã®QÃ¦Ã…ÃºÃ¸ ;iâ€¦-Å*qÃÃŠ<Ã–)Ã»â€¢Å“Â©Â¾Â¥Ã§\PÃ‘FÂ¯Â³Ã™Ã¢ â€ž,WÃŒÅ¾Ã•Ã¨,nÂ»#>Ã”c Q~yÃ«Â¡W-Â°Â±nÂ´/â€œZqnH
!|Ãµ^Ã³â€˜ÃµË†Ã¹CNÃ³Ã•Ã)â€”WÂ³sÃ¬Â®Ã¹â€¦G,5Kâ€ž'tTÃ²Ã¬Æ’â€¢Ã*NiÃ˜`DÂ¨SÃºÃ¦KÃ‹#]
Ã*5 8Ã’0â€™Ã‚Vnâ€™â€“-Ã¸3Ã/[ÃŽÃ˜sbâ€¡Âª'AÂ¤Âºâ€¹Ã¬Ã¯?ZÃ¹Ã°'}Ã*Â¤yCÂ§_ÃˆÃ’ÃÂ²Ã³Ã¢â€œ ÃŒÃ˜Ã¥Ã¹â€°hÃ±kÃ¸Â©â€˜Ã§ ÂµKMPOpÃšÃ¡Ã¹
.Â·;Ã©â€°Å¡Â®â€“Ã™Âº,_ÃªÃŠÅ¸Ã¹Å½Â®[Â½Ã¹â€œÃ—Ã*pÃ¹Ã¹Ã²Z Â¶]dÂ¢ÃŸL 8nl-{â€ºT6Â¼~sYâ€ž> Ã£Ã£)(ÃHPÃ”ÃÃ˜DYMKÃ£â€šEJÃ§5 â€“Ã¨Â©CÃ©â€¹Ãµâ€¦â€°BÂ¢Â¢â€|#Ã±%jWkI1Ã¡lÂ¤*CY~Ã„Ã¤RÃ›Ã®Ã¦Ã–Â¨Â¾ÂºÂ¹^OÃ¢CÂ¸ÃˆÃ«Ã¸:ÃŸ%*Ãµ*~}NtÂ¸Ã…r~Ã¹G>Â´â€žjÂ¶Ã’>ÃˆÃ¬GÂ§AÃ„Ãâ€¦>VÃžkÃ½Å¡Ã¢ÃªÃ‹~Ãœ(_Â¿Ã“Ã˜9Â½ÃšÃÃžÃ‡Â²S>5r0Â¹*Ã¤ Ã€Ã¬xÃ´Ã³Ã¹pÂ¬`39i Â±/Å¾ÃºÂ£Å’2Ã”-Ã°YÂ¨ÃšÃœÂ¯Ã£tÂº Ã™9ÃœÃ°ÃAt1Ã½Â¸ uâ€¡ â€º0Ã–0Ãš]]Ã°kÂ¯
nÃ¹ZÂ´ Ã¥Ã¤Â£MÃžÂ¢Ã£â€š^eÃ* Ã¯OtÃ¹â€¢DrÂ¿Ã´Â¼ÃšÃ½Â¥Ãµ5 eÂ©(YÃ–dGÃš(Ã³ HfÃ´ÃºÃšYâ€¦|9ÃµÃ‚_â€šÃ¨Ã»yâ€šÃ¥"Ã£Â²QvÃ§|Ã½Â¤
kpÃ‡Ã£Ã¾â€”dd
Ã®hÂªâ€¡Â²â€˜Â«Â´fÂ¨Â¯M$Â¬VÃ½â€Â¤ÃšÂ¸Âºâ€™â€¦!}jÃ«gPÃ–lw(Ã±Å½Â¶â€œâ€žÃ¥ÃŒÃ·dK
nÃšÃ*Ã±T/Â¹w Ã´Ã“cE"Ã‰Ã¯Â¥Ã¥#â„¢^ÃŒÃ¦ÂµÃ“Â«Â¤yyâ€šzÃ¡RÃ*ÃºÃšÂµÂ¯Å¡RDÃ›Â¾!Â©Qâ€Ã¡Ã›,kÃ¡Ã¤Â¨7_Â¶.â€¡9fÃÃuÃ•{Ã‡Ã‡~Ã§WÃ§Ã›ÃœxÂ°â€°dÃ¥ÃŠG..2 â€˜PÂ·Å’D~Ã¡Eâ„¢&Å*{â€œâ€Ã*bÃ¸rÃ€Âº Ã‹Â«X~Å*Ã—Ã§"Â¨Ã¶Â¿8ÃšÃ½Å’Ã¶â€˜Â·PÂ¨Ã¢G{< Iâ€ Â¸Å¸Å¸Ãâ€˜!Ã“`Ã*\ÃµQ Ã¾Ãµ|Ã¨PÃˆÂµÃ‘Ã·0Â³G*[PÂ±~Â¿jÃ™ÃŒÃ‰ NKÂ¯Ã”Ã£1Ã¬!mâ€™-:1Ã•â€ºZZmÃ«"FÅ¸BS|Ã¤Ã€QÃ”Â¤ÃŒÂ± QÂ½!Ã²Â²`
Ã¯YÂ´Ã§fQ1
â€¢>Â£Ã«Â´DÃªÃ…)S5xÃ†â€*{lUkâ€¡tÃ¨Ã½Ã–Â·â€˜Ã»TiR,Ã’]Ã™i^Ãž7ÃµE_ÃŸT}Ãš|SÂ´E/0Ã™ÂªÅ¸Â±lÃ§Ã´MÅ¾[Ã¦Ã›ÃžHwÂ¼Âºâ€ºÂ£-E â€˜$Ã«ÃˆsÅ¸Ã¹KÂ¶<{Ã±Ã˜Å’LÃ½!â€°Ã¦Ã™FCÂ¡IÃždÃœÃ²{
5 Â°}tÂ®g\Ã¸Â±$Ã—ÂªTÅ*Â¢Ã„OÃ£WÅ¾Â»Â´Ã‡[.Â¥LÃ£â„¢9qÆ’gâ€“Â»NÃ·qâ€ºÂ¡â€¦Ã¼ÃºÂ¢_â€¡aÂ¨Â½6Ã‚j~m)ÃVÃ¼â„¢Ã³kÂ«pdÃ§.Å“â€™N Â©Å¾Â¶â€º2[ Â·o;TÆ’
Â°UqÂ®Ãš[-^Ã‚â€¡TÃ¾â€¡Ã³Ã³_K/Â§ÃŒâ€¡ÃŠâ€˜â„¢â€¹qÃ¥Ã›ÂµÃ«Ã²Â«Ã´T{ÃŒ>Ã–aÃœÂ·K}Ã‘â€°Â¸fÃ“Â¥Ã£â€œÂ¶Â¸Ã›Ã§â€™a>Âª-&Ã“V~Â²Ã˜ÂµBÂ¥9â€DO10sÃ¤pÃ‡Â³â€šÃ“Â¾Ã§)Ã¥Ãiâ€¢Ã˜fÂµg-
~ -vÃ¯â„¢Æ’â€œÃ³AÅ¡{)w9Ã)Ã¤Ã³Ã™Â¤3Å“Ã®
Â¿AÂ©^Ã¨ Ã¾5Â±Â¨Å½pÂ¿Â©c`Â¢PnÂ°
XÂ¾Â²ST_Â±Ë†AÂ¨O:Â¬Â²i7gÃ°Gâ€˜â€™&*Ã¯ Â·Ã¼iÂ¡xÃ‡â€ž'; CÃÅ’,Ãœ -ÃŒGÃˆÃ¼n-Ã‘Ã
Ã·Æ’WaÃ¯ÃªÃ‰Å*6â€ºBÃšÃ£Ã½â€ž5Å¸Å¡FUÂ³j Ã†
%[ÃŒÅ¡ZÃ‘YÃ„Ãâ€°;Â©Ã’tÃ»Â¥ÃŠ7â€¡Ã¨
Â«!.XBÂ¾mÃ¥Ã„9Å¡&DÃ—Â¾Tg|&/
,Ã¨â€ž`Ã³Ã¹VgdÃ’:zÅ¸Ã…|vÃ‚Ã£Â«Ã«OÃ»ÃŠB 0Â¹ ÃŠÃ“dÅ¾ |Â¸Â»2Ãº6Â£3Ã„Ã¤~ÃNtÃ¼Ã§BÃ·aZÃ»â€¦&Å¾Ã±Â¤6ÃœÂ£gÂ£Ã“hÃ¹-;vÂ¾kuo
Ã•Ã”ÃyÂ·â€¦,P\Ã”Å“FÃ±cc{Â®Ã,Ã’Ã¾â€™Â§Ã’ÃrÂ¿Ã¢â€”Â½Ã® Â§Â©pÃœâ€œVÃ¼â€”â€*LÅ*zÂªÃ±ÃšÃ°Â±FuNiÅ½wÂ»RÃŸÃ¹Â´
qtBÃÃ—aLâ„¢Â½Ã·Ã¹k|Â©â€˜â€¹Â£Â¥XkÂ¤0#â€¦Å½Ã~'ewÃŠÃ’Ã„â€º
lâ€”Ã±o

------------------------------------------------------------------

You see in the top of the e-mail that everything is fine, it says it removed the hostile content but why do we get all that stuff? (with other files, not zips, we don't have this)

Any ideas!?

Thanks,

Roach4
January 27th, 2004, 05:42 PM
Tiger Shark

A couple of additional notes:

1. If you are running snort with the Swen.A rule defined it picks up many of the instances of this virus.

2. One machine got infected inside my network by the look of it at a sister org who I have less control over....<sigh>. It probably got through before the definitions were available, my mailserver updates hourly. It was trying to send outbound email which is blocked at the firewall. An ethereal dump showed that it was resolving the domain of the recipients prior to attempting to send which was noted by Symantec.

3. An Nmap of the machine indicated VNC running. The machine is shut down awaiting their tech staff.
January 27th, 2004, 05:47 PM
DjM

Quote:

Originally posted here by Tiger Shark

3. An Nmap of the machine indicated VNC running.

Tiger, are you saying that the virus dropped VNC on to the system?

Cheers:
January 27th, 2004, 05:55 PM
Tiger Shark

NMap claimed that 2 ports used by VNC were open on the target machine...... Unfortunately, being in a hurry I didn't save the scan results and I forget the ports. Added to that I had the machine shut down so I can't rerun the scan.

I tried to connect using Slarty's VNC thingy and it told me VNC was already running so the ports were definitely open and active. I didn't go any further but simply called the person who knows who's machine that is and had them close it down to stopp the "chatter" at the firewall so I could see if anything else got in.

Symantec and the rest say it drops a trojan on any number of ports so I guess VNC's ports coincide with the trojan..... I thought that would be of use to some since they may use a VNC client on their systems so it may not be immediately apparent that this may not be what they think it is.
January 27th, 2004, 06:13 PM
DjM

Re: eSAFE and Novarg (MyDOOM, mimail.q)

Quote:

Originally posted here by Roach4

You see in the top of the e-mail that everything is fine, it says it removed the hostile content but why do we get all that stuff? (with other files, not zips, we don't have this)

Any ideas!?

Thanks,

Roach4

I suspect this is the contents of the zip file before the virus is stripped away.

Cheers:

Show 40 post(s) from this thread on one page