[Dshield] FW: New MiMail variant is DDoS'ing SCO.com

Jim Clausing jim.clausing at acm.org
Tue Jan 27 00:25:23 GMT 2004


	Anyone have more info on the DDoS of sco.com?  This is the first I 
noticed mention of that.

On or about Mon, 26 Jan 2004, tlarholm at pivx.com pontificated thusly:

> 
> 
> -----Original Message-----
> From: Thor Larholm 
> Sent: Monday, January 26, 2004 4:04 PM
> To: 'bugtraq at securityfocus.com'
> Cc: 'ntbugtraq at listserv.ntbugtraq.com'
> Subject: New MiMail variant is DDoS'ing SCO.com
> 
> 
> MiMail.R, also known as W32/Mydoom at MM (McAfee), Novarg (F-Secure),
> W32.Novarg.A at mm (Symantec), Win32.Mydoom.A (CA) and Win32/Shimg (CA), is
> a polymorphic variant that collects/spams/forges email addresses using
> its own SMTP engine, installs a backdoor (most likely for use by
> spammers) and engages in a DDoS attack against SCO.com by routinely
> sending 63 HTTP requests. It's send as a ZIP attachment containing an
> executable file with the file extension masked by numerous spaces.
> 
> McAfee is calling this a High Outbreak worm, which definitely fits the
> bill according to the number of samples we are receiving.
> 
> Is the SCO.com DDoS an attempt at distraction from the fact that this
> virus installs a proxy backdoor?
> 
> CA used to have a removal tool at
> 
> http://www3.ca.com/Files/VirusInformationAndPrevention/clnshimg.zip
> 
> but it's no longer available.
> 
> More information:
> 
> http://us.mcafee.com/virusInfo/default.asp?id=mydoom
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM
> AIL.R
> http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.
> html
> http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=54593
> 
> 
> 
> Regards
> 
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor at pivx.com
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
> 
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix <http://www.qwik-fix.net> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list