[Dshield] MyDoom-A/B

Kenneth Coney superc at visuallink.com
Mon Feb 2 23:35:56 GMT 2004

Lacking relevant logs and a confession it would be hard to show.  New 
instructions with an imbedded countdown to launch could have been sent to 
Swen infected PCs days before the My Doom began spreading.  The only way of 
checking is to examine a PC known to have previously been infected with 
Swen, which was allowed to sit on the net and do its thing, and to see if 
it is now magically spreading My Doom instead.  (Anyone have such?) 
Likewise careful forensic examination of a dozen or so My Doom infected 
machines for tell tale traces of prior Swen or other infections might do 
it.  Normally when we disinfect a machine we just run the patches and don't 
look for what other files used to be on the machine once the virus we know 
about is killed.  However, even erased files will leave traces which can be 
found if anyone is looking for them.

As stated, this thing spread too fast.  Faster than Blaster.  If you want 
to walk down the halls of paranoia, how do we know the infection wasn't 
first spread weeks ago in an otherwise innocuous update or patch for a 
common program?  Most of us who stay updated pull in 2 to 8 megabytes of 
patches and updates a week (TDS, Norton, McAfee, MS, Lavasoft, Quicken, 
etc.).  Many of the updates do not contain details as to exactly what is in 
that 360K byte uploads, so we trust.  The good news is not too many 
security professionals are reporting their own machines are My Doom 
infected, so it probably wasn't spread with a security patch.  Can we get a 
survey of users of My Doom infected machines?  What are the commonalties? 
Do they all admit to stupidly opening an .scr attachment on the first day? 
  What other software (besides Win) is on their machines?  What (if any) 
software auto updates?

Subject: Re: [Dshield] MyDoom-A/B
From: Pete Cap <peteoutside at yahoo.com>
Date: Mon, 2 Feb 2004 12:13:53 -0800 (PST)
To: General DShield Discussion List <list at dshield.org>


Interesting theory...it makes sense!  But how could you go about 
investigating it?

I also believe that the MyDoom spread/etc. is wholly suspect...but then, I 
have a conspiratorial mind


More information about the list mailing list