The Next Version of MyDoom
Chris Mosby alerted us to the latest strain of MyDoom. The newest MyDoom variant ... # contains its own SMTP engine for constructing messages # harvests target email addresses from the victim machine # forges the From: header of outgoing messages # downloads BackDoor-CEB.c over HTTP After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WinSPF" = C:\WINNT\System32\winspf.exe Additional, it copies itself to * C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe It tries to download BackDoor-CEB.c from these sites: http://www.llc.unibo.it/ http://www.surrenderzeeland.nl/ http://www.mercyships.de/ http://www.hiw.kuleuven.ac.be/ http://www.ach.ch/ http://vugs.geog.uu.nl/ http://www.planetboredom.net/ http://guttorm.hveem.no/ Full descriptions are available at: http://vil.nai.com/vil/content/v_128346.htm http://www.sarc.com/avcenter/venc/data/w32.mydoom.s@mm.html http://www.f-secure.com/v-descs/mydoom_u.shtml Hurricanes On behalf of the ISC, I'd like to extend our sympathy for those who have suffered a loss as a result of Hurricanes Charley and Frances. While some of us have been personally inconvenienced, worried about the safety of friends and loved ones or suffered minor losses, when compared to the devastation in some parts of Florida and the Caribbean it becomes very easy to put things into perspective. If you have any interesting perspectives on how your company protects it's systems from attack specifically before/during/after a natural disaster (like a hurricane or earthquake), drop us a note. |
Chris 140 Posts Sep 14th 2004 |
Thread locked Subscribe |
Sep 14th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!