[Dshield] MyDoom.F

jayjwa jayjwa at atr2.ath.cx
Wed Feb 25 06:41:38 GMT 2004



On Tue, 24 Feb 2004, Paul Marsh wrote:

> Subject: [Dshield] MyDoom.F
>
> Is anyone else noticing a surge in MyDoom.F's?
> Symantec had it rated as a 2 last Friday (20th) with discovered date of
> 2/20 and a protection 2/23, I guess they were taking the weekend off ;)
> Now this morning it jumps to a 3.

I finally got my copy last night. I belive even stronger in the "template
or virus-generator" theory. This one is almost carbon-copy of the others,
except for a few minor details, and the big "Irony", made by jxq7==-.
signature. The broken English in it and the overall form makes me think
that in a few weeks/months a new virus-making tool will be discovered
somewhere around ru, ro, cz, pl, or it, because this looks too cut & paste
to be anything but. (Notice the headers sent with the GET request to the
targeted sites.) F-prot didn't detect it the night I got it, with that
day's updates, but by today's it does (as long as the worm stays packed,
unpack it and it misses it again.)
 What I want to know is this, why do the AV companies keep naming them
"MyDoom"?? At no place in any of these worms does it say "MyDoom". I've
seen a "sync-1.00", an "Irony" and a few other interesting strings, but no
mydoom's. What's the standard or format for naming these things, or do
they just pull something out of the air and start appending letters of the
alphabet to it until they get to F?


-- 
=============================================
%jayjwa%  RLF#37    "Gnu for ALL. SCO Never."
PGP Key-Fetch: B628B851
   Jung xvaqn jnpxb qrpbqrf ebg13 sebz fvtf ?
---------------------------------------------




More information about the list mailing list