[Dshield] MyDoom-A/B

jayjwa jayjwa at atr2.ath.cx
Tue Feb 3 11:09:36 GMT 2004



On Mon, 2 Feb 2004, Kenneth Coney wrote:


>  Or did the virus somehow repair the timing bug
> (perhaps by receiving instructions over the opened ports)?

That's crazy.

> Swen mailings to my machines have virtually stopped.  The AV logs show I

You can have the two copies I just got. Cleared the access.db (stops spam
and such) for only several hours, and planet.nl and sent me two copies.
Win32.Swen is dying due to several reasons I belive: Free email carries
(usually a large infection vector for mass-mailers) such as Hotmail now
auto-block Swen; Win32.Swen's bogus "Patch" screen has appeared on many AV
sites and else where- people know what Swen looks like, so even if they
know nothing else, they automatically think "virus: bad".

> This My Doom thing spread so fast I am suspicious of the ease with which it
> spread.  I find it hard to believe that each and every infection point has
> come from some idiot opening a .scr, or other, attachment from an unknown
> person.  Not in 2004.  By now every one online over the age of 5 knows that
> is a good way to get an infection in their PC.

But sadly, time and time again they do, they open attachments, execute
things like "readme.exe". Or fall prey to tricks like was utilized in the
last virus "myphoto.jpg                               .exe" (notice
spaces, that's still an executable).

Now Win32.MyDoom.B is a strange case. I've yet to receive this virus in
the mail like was intended. If you've followed the "Full-Disclosure"
lists, you'll see that varient B has become somewhat of a collector's
item- something to obtain and attempt to "overcome" with home-analysis &
disassembly. I was amazed at the number of self-proclaimed "researchers".
So yes, MyDoom.B is spreading- not like the author pictured it would!

> initially more plausible, at least to those who had registered their PC
> with MS and didn't know MS emails nothing), or similar viruses (Gibe,
>received new instructions through their already open servers and that these
> Swen infected machines played a pivotal role in the spreading of My Doom by
> functioning as command driven infection originators?

To my knowlege, no virus has yet to sucessfully receive instructions from
another virus designed to allow that virus to better spread. Viruses, for
all their mystery, are only programs, not living, reasoning things. While
it may be technically possible for a virus to search out its environment
and  interact with another virus already installed (or even rootkit?)
there to further its own infections, this approach to replication would
involve significate amounts of AI, and in doing so would result in a very
large and unwieldy virus better suited for POC code than an actual,
in-the-wild intended virus.



[jayjwa]RLF#37





More information about the list mailing list