Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Doubleclick DDoS'd, W32.Zindos.A Microsoft DoS, FXMYDOOM Feedback - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Doubleclick DDoS'd, W32.Zindos.A Microsoft DoS, FXMYDOOM Feedback
Doubleclick DDoS'd

Around 10:30 EDT Doubleclick, a provider of web advertisements, started experiencing a massive denial-of-service attack on their DNS servers. This has caused a peripheral slowdown of other sites that use the Doubleclick service to serve ads on their webpages. Read more at:

http://www.washingtonpost.com/wp-dyn/articles/A18735-2004Jul27.html
W32.Zindos.A Microsoft DoS

The W32.Zindos.A worm which infects machines via the backdoor that Backdoor.Zincite.A opens (which is delivered by MyDoom.M) performs a DoS against the microsoft.com domain. Due to the buggy code, this will cause a machine to become slow and unresponsive due to repetitive infections of Zindos. For more information go to: http://securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html
FXMYDOOM Feedback

A user wrote in stating that the FXMYDOOM program would not completely clean up a system from all the processes. He gave the following steps to ensure a clean system.

1. Reboot into safe mode with networking support and sign in.

2. Run FXMYDOOM, downloadable from Symantec. Go onto step 3 while step 2 runs.

3. Visit the ?Run? sections of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER (full example path above) and delete any calls to:
<Br>
a. Javavm

b. Services

c. Tray (which will have a path to ********.exe listed in the data field)
Norton?s tool usually didn?t catch the ?javavm? or ?tray? entries on PC?s I worked on, so be on the lookout for them.


4. Once step 2 has completed, manually verify javavm.exe and services.exe are no longer in %windir%

5. Reboot into normal mode, ideally, user should sign-in. In absence of user, sign in yourself.

6. Once boot completes and taskbar fully loads check ?processes? tab to make sure there aren?t any extra ?services?, ?javavm?, or ?********.exe? files running. Note it is normal to have one copy of ?services? running on a PC. One copy, good. Two copies, bad.

7. Re-run step 2. Have user contact you if it finds any instance of mydoom on the PC.


---

John Bambenek, jbamb -at- pentex-net.com
John

255 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!