[Intrusions] MyDoom.M/O Registration Process

Merton Campbell Crockett mcc at CATO.GD-AIS.COM
Wed Jul 28 13:13:07 GMT 2004 

Another piece of the puzzle that might be of interest.  Our IT Desktop 
Support was given the compromised system to remove any and all malware 
before reconnecting it to the network.  This was a two day effort as they 
discovered that it was still infected.

This allowed me to find in one of my Squid access logs that the system had 
downloaded the following files from the http://iefeadsl.com/x/ directory.

	bl.dat
	dict.dat
	keywords.dat
	feat2.dll
	mshp.dll
	service.exe

The "system" is, actually, three different physical systems.  Regardless 
of which system you access, the Apache server returns a permissions error 
if you attempt to access anything except the above files.

Trend Micro associates the above files with a series of "trojan agents" 
that were first detected in late June 2004.

Merton Campbell Crockett


On Tue, 27 Jul 2004, Fitton, Robert (Bob) wrote:

> I observed the same phenomenon internally: infected machines on
> different VLANs were attempting to reach each other on tcp 1034 (but
> being blocked by inter-VLAN access lists).  How did they learn about
> each other?  Port 1034 is NOT open either incoming or outgoing through
> the firewalls.
> 
> Bob Fitton
> Labor Ready, Inc.
> Tacoma, WA
> 
> 
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Merton Campbell
> Crockett
> Sent: Monday, July 26, 2004 5:52 PM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] MyDoom.M/O Registration Process
> 
> 
> One of our systems was compromised by the MyDoom.M/O worm today.  The
> system has been disconnected from the network while IT attempts to
> remove the worm from the system.
> 
> The system has been disconnected from the network for 7 hours.  I am
> still seeing external systems attempting to establish connections to the
> compromised system.
> 
> Has anyone identified the mechanism by which the system "registers" that
> it is available for use and can be accessed on TCP port 1034?
> 
> Merton Campbell Crockett
> 
> 
> 

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

More information about the Intrusions mailing list