Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: New Mydoom / Hurricanes - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Mydoom / Hurricanes
The Next Version of MyDoom


Chris Mosby alerted us to the latest strain of MyDoom.


The newest MyDoom variant ...


# contains its own SMTP engine for constructing messages

# harvests target email addresses from the victim machine

# forges the From: header of outgoing messages

# downloads BackDoor-CEB.c over HTTP


After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WinSPF" =
C:\WINNT\System32\winspf.exe

Additional, it copies itself to

* C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe

It tries to download BackDoor-CEB.c from these sites:

http://www.llc.unibo.it/

http://www.surrenderzeeland.nl/

http://www.mercyships.de/

http://www.hiw.kuleuven.ac.be/

http://www.ach.ch/

http://vugs.geog.uu.nl/

http://www.planetboredom.net/

http://guttorm.hveem.no/


Full descriptions are available at:

http://vil.nai.com/vil/content/v_128346.htm
http://www.sarc.com/avcenter/venc/data/w32.mydoom.s@mm.html
http://www.f-secure.com/v-descs/mydoom_u.shtml



Hurricanes



On behalf of the ISC, I'd like to extend our sympathy for those who have suffered a loss as a result of Hurricanes Charley and Frances.


While some of us have been personally inconvenienced, worried about the safety of friends and loved ones or suffered minor losses, when compared to the devastation in some parts of Florida and the Caribbean it becomes very easy to put things into perspective.

If you have any interesting perspectives on how your company protects it's systems from attack specifically before/during/after a natural disaster (like a hurricane or earthquake), drop us a note.
Chris

140 Posts

Sign Up for Free or Log In to start participating in the conversation!