[Dshield] MyDoom.B Varient
jayjwa at atr2.ath.cx
Wed Jan 28 21:56:52 GMT 2004
I didn't know if you all saw this yet, I just found out about it. Read the
attachment about MyDoom.B varient. There's quite a lag between what I post
and when it hits the list, so maybe this is old, but it wasn't on the last
list I just read.
-------------- next part --------------
Dangerous Mydoom Variant Appears
January 28, 2004 (3:39 p.m. EST)
By Gregg Keizer, TechWeb News
The first copycat of the widespread
Mydoom worm appeared Wednesday on
the Internet, and some analysts are
warning it may be even more
dangerous than the original.
Dubbed Mydoom.b by most security
firms, the variant strongly
resembles the Mydoom, now tagged as
Mydoom.a, but adds some new
Some of the subject lines used by
Mydoom.b depart from the original,
including new headings of 'Delivery
error' and 'Returned mail,' both
which try to trick users into
believing that the message is legit
and can safely be opened.
Another change in Mydoom.b is the
addition of microsoft.com as a
target for a February 3
denial-of-service (DoS) attack.
Mydoom.a specified sco.com as the
target for a February 1 DoS assault
by compromised machines; Mydoom.b
has both sites and the associated
dates embedded in its code.
Most notable, and most disturbing,
however, is that Mydoom.b prevents
infected users from accessing
anti-virus and other computer
The worm modifies the host file on
the compromised system so that 65
Web sites resolve to the IP address
of 0.0.0.0, making them
The list of affected sites include
b major names in the anti-virus and te
security trade, including Symantec,
McAfee, F-Secure, Sophos, Network
Associates, and Kaspersky Labs.
Microsoft's Office Update and
Windows Update, as well as other
Microsoft download locations, are
also on the list.
That makes it much more dangerous
than its predecessor, said Ken
Dunham, the malicious code director
for security firm iDefense.
*This new variant is worse than
Mydoom.a,* he said, because the lack
of access to security and anti-virus
sites will make it impossible for
many users, particularly consumers,
to obtain updates to protect or
clean their systems. *This will
result in a longer lifespan for
Mydoom.b,* he said.
Dunham, along with other security
experts, suspect that Mydoom.b is
being launched from computers
already infected with the original
Mydoom.a. *If this is the case,*
said Dunham, *Mydoom.b will likely
become very prevalent in just a few
Moscow-based Kaspersky Labs agreed.
*Our analysts believe that Mydoom.b
is probably using machines infected
by the original Mydoom,* said
Kaspersky spokesman Denis Zenkin in
an e-mailed statement. *The computer
community may be facing a much more
serious outbreak than the one caused
by Mydoom.a yesterday.*
Anti-virus firms are racing to
combat Mydoom.b with updated virus
definition files, but not all
companies have yet posted alerts for
the variant, nor updates that can
defend and disinfect.
More information about the list