[Dshield] Re: MyDoom.B Surfacing!

Eric Hines eric.hines at appliedwatch.com
Wed Jan 28 18:34:35 GMT 2004


Just a few differences with MyDoom.b

- Rewritten to target the DDoS at microsoft.com

- Creates %SysDir%\explorer.exe 

- Creates %SysDir%\ctfmon.dll (6,144 bytes) 

- Creates Registry Key: HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\ctfmon.dll 

- Creates Registry Key: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Explorer" = %
SysDir%\explorer.exe 


-------------------------------------------
Eric Hines
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hines at appliedwatch.com
-------------------------------------------
Direct: (877) 262-7593 - Toll Free x327
Fax: (815) 425-2173
General: (877) 262-7593 (9am-5pm CST)
-------------------------------------------



Quoting Eric Hines <eric.hines at appliedwatch.com>:

> All,
> 
> MyDoom B is surfacing.
> 
> http://vil.nai.com/vil/content/v_100988.htm
> 
> 
> 
> -------------------------------------------
> Eric Hines
> CEO, Chairman
> Applied Watch Technologies, Inc.
> web: http://www.appliedwatch.com
> email: eric.hines at appliedwatch.com
> -------------------------------------------
> Direct: (877) 262-7593 - Toll Free x327
> Fax: (815) 425-2173
> General: (877) 262-7593 (9am-5pm CST)
> -------------------------------------------
> 
> 
> 
> Quoting David Hoelzer <dhoelzer at cyber-defense.org>:
> 
> > Yes.  I've received all of the variations.
> > 
> > On Jan 27, 2004, at 5:32 PM, Smith, Donald wrote:
> > 
> > > Has anyone seen a zip that had a file other then pif in it?
> > > Symantec states it can be exe, com, pif, or scr but all I have seen so
> > > far is pif.
> > >
> > >
> > > -----Original Message-----
> > > From: Johannes B. Ullrich [mailto:jullrich at sans.org]
> > > Sent: Tuesday, January 27, 2004 2:55 PM
> > > To: General DShield Discussion List
> > > Cc: intrusions at incidents.org
> > > Subject: Re: [Dshield] MyDoom/NoVarg DoS details
> > >
> > >
> > > On Tue, 2004-01-27 at 15:30, Eric Hines wrote:
> > >> Does anyone here have any details on the type of Denial of Service
> > >> attack that
> > >> MyDoom/Novarg launches against SCO.COM in Feb? What solutions if any
> > > are
> > >> recommended for this date, a null route? Is it just outbound port 80
> > > SYN floods?
> > >
> > > I haven't been able to trigger the sco.com attack yet in my lab.
> > > However, the virus includes these strings:
> > >
> > > GET / HTTP/1.1
> > > Host: www.sco.com
> > >
> > > suggesting that it will try to issue a full request.
> > >
> > >
> > >
> > >
> > > -- 
> > > CTO SANS Internet Storm Center               http://isc.sans.org
> > > phone: (617) 837 2807                          jullrich at sans.org
> > >
> > > contact details: http://johannes.homepc.org/contact.htm
> > >
> > 
> 
> 




More information about the list mailing list