[Dshield] MyDoom.B Varient

jayjwa jayjwa at atr2.ath.cx
Wed Jan 28 21:56:52 GMT 2004

I didn't know if you all saw this yet, I just found out about it. Read the
attachment about MyDoom.B varient. There's quite a lag between what I post
and when it hits the list, so maybe this is old, but it wasn't on the last
list I just read.



-------------- next part --------------

  Dangerous Mydoom Variant Appears       
  January 28, 2004 (3:39 p.m. EST)       
  By Gregg Keizer, TechWeb News          
  The first copycat of the widespread    
  Mydoom worm appeared Wednesday on      
  the Internet, and some analysts are    
  warning it may be even more            
  dangerous than the original.           
  Dubbed Mydoom.b by most security       
  firms, the variant strongly            
  resembles the Mydoom, now tagged as    
  Mydoom.a, but adds some new            
  disturbing traits.                     
  Some of the subject lines used by      
  Mydoom.b depart from the original,     
  including new headings of 'Delivery    
  error' and 'Returned mail,' both       
  which try to trick users into          
  believing that the message is legit    
  and can safely be opened.              
  Another change in Mydoom.b is the      
  addition of microsoft.com as a         
  target for a February 3                
  denial-of-service (DoS) attack.        
  Mydoom.a specified sco.com as the      
  target for a February 1 DoS assault    
  by compromised machines; Mydoom.b      
  has both sites and the associated      
  dates embedded in its code.            
  Most notable, and most disturbing,     
  however, is that Mydoom.b prevents     
  infected users from accessing          
  anti-virus and other computer          
  support sites.                         
  The worm modifies the host file on     
  the compromised system so that 65      
  Web sites resolve to the IP address    
  of, making them                
  The list of affected sites include     
b major names in the anti-virus and    te
  security trade, including Symantec,    
  McAfee, F-Secure, Sophos, Network      
  Associates, and Kaspersky Labs.        
  Microsoft's Office Update and          
  Windows Update, as well as other       
  Microsoft download locations, are      
  also on the list.                      
  That makes it much more dangerous      
  than its predecessor, said Ken         
  Dunham, the malicious code director    
  for security firm iDefense.            
  *This new variant is worse than        
  Mydoom.a,* he said, because the lack   
  of access to security and anti-virus   
  sites will make it impossible for      
  many users, particularly consumers,    
  to obtain updates to protect or        
  clean their systems. *This will        
  result in a longer lifespan for        
  Mydoom.b,* he said.                    
  Dunham, along with other security      
  experts, suspect that Mydoom.b is      
  being launched from computers          
  already infected with the original     
  Mydoom.a. *If this is the case,*       
  said Dunham, *Mydoom.b will likely     
  become very prevalent in just a few    
  Moscow-based Kaspersky Labs agreed.    
  *Our analysts believe that Mydoom.b    
  is probably using machines infected    
  by the original Mydoom,* said          
  Kaspersky spokesman Denis Zenkin in    
  an e-mailed statement. *The computer   
  community may be facing a much more    
  serious outbreak than the one caused   
  by Mydoom.a yesterday.*                
  Anti-virus firms are racing to         
  combat Mydoom.b with updated virus     
  definition files, but not all          
  companies have yet posted alerts for   
  the variant, nor updates that can      
  defend and disinfect.                  


More information about the list mailing list