[Dshield] Return of MyDoom?

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Apr 5 17:12:38 GMT 2006


On Tue, 04 Apr 2006 15:35:17 CDT, Laura Vance said:
> Has anyone else seen the return of the MyDoom worm?  We hadn't seen 
> anything for months, and now we've gotten over 100 since March 31st.  
> They're all being blocked, and our virus scanner had updates to cover 
> this new one (MyDoom.R) before it hit.  It just seems odd for a strain 
> that is so old to come back like this.

Most likely, some poor loser on a cablemodem somewhere in Suburbia
actually backed their system up several months ago, and just restored it
after they lost their disk.  And now you're seeing where that machine had
an e-mail address at your site on the disk, so it's being targeted.

A quick check shows several hundred Mydoom per week here (stats for last week):

Breakdown by Virus Family:
   5171	ZAFI                   (24.05%)
   4872	NYXEM                  (22.66%)
   2655	NETSKY                 (12.35%)
   1461	MYTOB                  ( 6.79%)
   1042	MYTOB-EI               ( 4.85%)
    579	MYTOB-FO               ( 2.69%)
    559	MYDOOM-AJ              (  2.6%)
    338	MYTOB-BE               ( 1.57%)
    318	LOVGATE                ( 1.48%)
    307	MYDOOM                 ( 1.43%)

It's like Internet herpes - anti-viral products will suppress them, but not
totally prevent outbreaks. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060405/ea33b1c7/attachment.bin


More information about the list mailing list