[Dshield] MyDoom-A/B

Kenneth Coney superc at visuallink.com
Mon Feb 2 16:39:52 GMT 2004


There are some problems with the My Doom stories.  Something smells.  Here 
is what MSNBC has reported about SCO's My Doom related difficulties. 
http://msnbc.msn.com/id/4113278/  "Hundreds of thousands computers bore 
down on the SCO Group's home page, hitting the Web site with a deluge of 
traffic that quickly overwhelmed it."

Strange, I thought I read here in this very thread that the mass mailings 
by My Doom couldn't happen, due to a timing bug.  So what happened?  Was 
the analysis completely and totally wrong?  Or, did the attack reported by 
SCO ever even happen?  Or did the virus somehow repair the timing bug 
(perhaps by receiving instructions over the opened ports)?

There are other issues.

Swen mailings to my machines have virtually stopped.  The AV logs show I 
have gone from an average of 30 or so received every day two weeks ago to 
three (3) a day.  Replacing W32.SwenA at mm is W32.MmailI at mm, W32.MmailS at mm, 
and of course W32.Novarg.A at mm (aka My Doom type A).  What happened to the 
Swen?  Does My Doom automatically stop and replace the Swen?

This My Doom thing spread so fast I am suspicious of the ease with which it 
spread.  I find it hard to believe that each and every infection point has 
come from some idiot opening a .scr, or other, attachment from an unknown 
person.  Not in 2004.  By now every one online over the age of 5 knows that 
is a good way to get an infection in their PC.  Are we to believe that a 
hundred thousand 4 year olds were at the keyboard when the first infections 
emerged?  Let's instead go back to the Swen infections for a possible 
explanation.  Is it not more probable to suspect that many of the computers 
previously infected with Swen (a more psychologically understandable 
infection as it pretended to be an update from MS and was therefore 
initially more plausible, at least to those who had registered their PC 
with MS and didn't know MS emails nothing), or similar viruses (Gibe, etc.) 
received new instructions through their already open servers and that these 
Swen infected machines played a pivotal role in the spreading of My Doom by 
functioning as command driven infection originators?  Proving, or 
disproving this will be fun.  Perhaps the best proof is the decline in Swen 
mailings?








More information about the list mailing list