[Dshield] FW: [Full-Disclosure] Hello Mydoom

Micheal Patterson micheal at tsgincorporated.com
Thu Jan 29 15:42:34 GMT 2004


I'd like to know if this can be confirmed. So far, none of the systems that
I'm in control over have been hit by either a or b versions so far.


--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


----- Original Message ----- 
From: "Paul Marsh" <pmarsh at nmefdn.org>
To: <list at dshield.org>
Sent: Thursday, January 29, 2004 8:04 AM
Subject: [Dshield] FW: [Full-Disclosure] Hello Mydoom


> Morning All:
>
> I don't know maybe this is the wrong thing to forward but can
> the coders of the group take a look at this email of FD's list.
>
> Thanx, Paul
>
> -----Original Message-----
> From: Juari Bosnikovich [mailto:juarib at m-net.arbornet.org]
> Sent: Wednesday, January 28, 2004 05:40 PM
> To: full-disclosure at lists.netsys.com
> Subject: [Full-Disclosure] Hello Mydoom
>
>
> When I disassembled the virus I found new information that haven't came
> up anywhere else to this time.
>
> Here is the information that is beleived...
>
> 1. use restricted usernames to send email to and from
> 2. encode strings with ROT13 method
> 3. create a mutex called 'SwebSipcSmtxSO' when ran
> 4. transform in taskmon.exe and
> 4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
>    "TaskMon" = %sysdir%\taskmon.exe
> 4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
>    "TaskMon" = %sysdir%\taskmon.exe
> 5. add %sysdir%\shimgapi.dll
>   open ports 3127/tcp - 3198/tcp
> 6. stops spreading febuary 12
> 7. spreads through KaZaA and Electronic Mail System
> 8. and more very technical fact i will not describe here
>
> What I found...
>
> Even if the virus (Mydoom) is programmed in assembler and compiled using
> masm it is made to look like it has been programmed in C++ when
> disassembling. It is a fact that many more information are hidden and
> undiscovered to this date such as the fact that it will stop spreading
> on febuary 12 which is not true. Mydoom will pass in a new phase upon
> febuary 12 and it will be very much more serious as it will be updated
> and will mutate in Mydoom.C. The backdoor (shimgapi.dll) is open a port
> but this is used to obscur the real intention of Mydoom.B as well as
> Outlook express.
>
> It was also unknown that the virus infects the BIOS of the computer it
> infects by injecting a 624bytes backdoor written in FORTH which will
> open port tcp when Mydoom will be executed AFTER febuary 12.
>
> It is a conclusion that the viral professionals that published diagnosis
> of the Mydoom.A virus are trying to hide something or are very
> incompetent.
>
> Also there are no way to fix the virus that is injected in the BIOS
> after it has been infected except from flashing it AFTER disinfecting
> the workstation that was infected.
>
>                                         Juari Bosnikovich
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list