[unisog] MyDoom does not attack www.sco.com?

Brian Eckman eckman at umn.edu
Thu Jan 29 22:13:54 GMT 2004

Julian Y. Koh wrote:
> Hash: SHA1
> At 14:23 -0600 1/29/2004, Brian Eckman wrote:
>>I have run MyDoom in a tightly controlled environment, then again in a
>>mostly uncontrolled environment (only filtering was stopping outbound
>>25/tcp from the computer), and regardless of whether I let the system
>>clock roll over to Feb 1, 2004, or change it to Feb 1, 2004, or reboot
>>with it set at Feb 1, 2004, I can not get it to even do a DNS lookup for
>>www.sco.com let alone send any SYN packets its way. I am sniffing on the
>>local computer as well as via the network.
> It's not exactly Feb 1, 2004.  It's around 10:09am CST on Feb 1, according to
> <http://www.f-secure.com/v-descs/novarg.shtml>
> If you set your clock to after that time/date and then reboot, you should see
> a DNS lookup and a NetBIOS lookup for www.sco.com.

Thank you for that information, I was not aware of it (obviously!). I 
can now verify that the DoS on www.sco.com will indeed occur on infected 
machines. Symantec also says "Due to the logic used to verify the date, 
the DoS only occurs 25% of the time". That could explain why it was not 
occuring while my clock was set to Feb 11.


Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list