[Dshield] MyDoom/NoVarg DoS details

Pete Cap peteoutside at yahoo.com
Tue Jan 27 23:03:30 GMT 2004

I read that the worm listens on TCP 3127-3198.
Checked out a few of those ports on DShield and noticed that a few of them exhibit the same behavior: generally pretty quiet, enormous spikes, then back to being quiet.  A few of those ports a very noisy, but obviously you see where I'm going with this...is the author scanning for infected machines?  Would be interesting to see if we could capture that traffic and try to get the worm to respond to it.
In your lab, have you tried communicating with it on the ports it's supposed to open (basic syns etc.)?

"Johannes B. Ullrich" <jullrich at sans.org> wrote:
On Tue, 2004-01-27 at 15:30, Eric Hines wrote:
> Does anyone here have any details on the type of Denial of Service attack that 
> MyDoom/Novarg launches against SCO.COM in Feb? What solutions if any are 
> recommended for this date, a null route? Is it just outbound port 80 SYN floods?

I haven't been able to trigger the sco.com attack yet in my lab.
However, the virus includes these strings:

GET / HTTP/1.1
Host: www.sco.com

suggesting that it will try to issue a full request.

CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm

> ATTACHMENT part 1.2 application/pgp-signature name=signature.asc
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!

More information about the list mailing list