An apology
It was my intention to post Part II of my "Follow the Bouncing Malware" article today. Instead, the other Handlers and I ended up following the bouncing MyDoom. A quick note of thanks to all of the other Handlers, the AV Vendors, and many others for pitching in and keeping this one from getting out of control. (TL) New MyDoom On The Loose Initial analysis (we will update as we know more): Currently (16:00GMT), signatures are not yet available. UPDATED (17:00GMT): - Signatures are starting to come out, identifying this as MyDoom.O, MyDoom.P or Evaman.C - It appears that this may only work on Win2K and WinXP machines because the executable requires psapi.dll. - Copies itself to the Windows' system directory as winlibs.exe and installs itself under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UPDATED (17:30GMT) - *BETA* Snort Sigs: UPDATED (17:40GMT) - *BETA #2* Snort Sigs: UPDATED (19:30GMT) - *BETA #3* Snort Sigs:
Targets Yahoo's people search: http://email.people.yahoo.com:80/py/psSearch.py? NEW (1700GMT)- Example packet capture:
Message subjects(?): SN: New secure mail SN: New secure mail Secure delivery Secure delivery failed transaction failed transaction Re: hello (Secure-Mail) Re: hello (Secure-Mail) Re: Extended Mail Re: Extended Mail Delivery Status (Secure) Delivery Status (Secure) Re: Server Reply Re: Server Reply SN: Server Status SN: Server Status Message body contains(?): Automatically Secure Delivery: for Automatically Secure Delivery: for Mail Delivery Server System: for Mail Delivery Server System: for Extended secure mail message available at: Extended secure mail message available at: Secure Mail Server Notification: for Secure Mail Server Notification: for New mail secure method implement: for New mail secure method implement: for New policy requested by mail server to returned mail as a secure compiled attachment (Zip). New policy requested by mail server to returned mail as a secure compiled attachment (Zip). Now a new message is available as secure Zip file format. Due to new policies on clients. Now a new message is available as secure Zip file format. Due to new policies on clients. This message is available as a secure Zip file format due to a new security policy. This message is available as a secure Zip file format due to a new security policy. For security measures this message has been packed as Zip format. This is a newly added security feature. For security measures this message has been packed as Zip format. This is a newly added security feature. New policy recommends to enclose all messages as Zip format. Your message is available in this server notice. New policy recommends to enclose all messages as Zip format. Your message is available in this server notice. You have received a message that implements secure delivery technology. Message available as a secure Zip file. You have received a message that implements secure delivery technology. Message available as a secure Zip file. This message is an automatically server notice from Administration at This message is an automatically server notice from Administration at Server Notice: New security feature added. MSG:ID: 455sec86 Server Notice: New security feature added. MSG:ID: 455sec86 New feature added for security reasons New feature added for security reasons Automatically server notice:, Server reply from Automatically server notice:, Server reply from New service policy for security added from New service policy for security added from The executable contains the following names that are used to search Yahoo: Johnson, Williams, Wilson, Taylor, Anderson, Thomas, Jackson, Parker, Hernandez, Gonzalez, Roberts, Patricia, Margaret, Elizabeth, Anthony, Daniel, Patrick, Douglas, Carlos, Sanchez, Howard, Washington, Walter, Robinson, Miguel, Jennifer, Alberto, Mathew, Taylor, Walker, Mitchell, Carter, Nelson, Brooks, Jenkins, Coleman, Flores, Griffin, Morris, Rogers, Barbara, Angela, Amanda, Pamela, Martha, Frances, Cynthia, Stephanie, Nicole, Andrea, Rebeca, Steven, Anthony, George, Michael, Isabel, Marcos, Camilo, Salomon, Esteban, Francis, Nicholas, Samuel, Angela, Catherine, Susanna, Dorothy, Elizabeth, Andrew, Philip, Hester, Edward, Martin, Gabriel, Christopher, Lawrence, Christian, Christ, Dorcas, Rowland, Cecily, Margery, Turner, Torres, Brooks, Harrison, Gibson, Pierce, Arnold, Watkins, Medina, Mendoza, Santiago, Christina, Norris, Santos, Burgess, Valdez, Barber, Patton, Ortega, Estrada, Waters, Ashlee, Parson, Sparks, Morton, Allison, Monique, Summers, Cortez, Barton, Deleon, Harrell, Navarro, Woodard, Meyers, Petersen, Vannessa, Douglas, Joanna, Judith, Bridget, Jessica, Jeffrey, Timothy, Shirley, Kimberly, Sandra, Melissa, Virginia, Dennis, Junior, Heather, Collins, Garcia, Miller, Barton, Bridget, Gillian, Ursula, Hannah, Cooper, Watson, Bennett, Sanders, Ramirez, Bailey, Murphy, Campbell, Barnes, Alexis, Samantha, Madison, Joshua, Charles, Clinton, Lincoln, Houston, Claudia, Britney, Carson, Spider, Laster, Jolley, Galvin, Alecia, Karrie, Ivette, Freeman, Hunter, Simpson, Hamilton, Knight, Mcdonald, Elliott, Bradley, Duncan, Weaver, Fields, Chapman, Kelley, Wagner, Jacobs, Stanley, Fuller, Newman, Lambert, Cummings, Leonard, Barker, Norris. ------------------------------------------------------- Handler on Duty: Tom Liston ( http://www.labreatechnologies.com ) |
Tom 160 Posts Aug 4th 2004 |
Thread locked Subscribe |
Aug 4th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!