Slashdot Mirror

← Back to Stories (view on slashdot.org)

MyDoom Windows Worm DDoSing SCO

Posted by ryuzaki0 on from the now-thats-just-not-cool dept.

We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.

10 of 694 comments (clear)

  1. According to Symantec... by no_nicks_available · · Score: 3, Informative

    the DOS isn't supposed to start until Feb 1. Maybe this is related to some sort of network "hardening" in preparation. More info

  2. Funny, I think: by cockroach2 · · Score: 5, Informative

    On the bottom of the netcraft report you can see an OS history of www.sco.com - apparently they switched from SCO UNIX to Linux in August 2002...

  3. DDoS by savagedome · · Score: 4, Informative

    Note that the DDoS attack is timed to be performed between 1st and 12th Feb, 2004.

    --


    Free XBox, PS2
  4. Re:Transmission require OE? by codepunk · · Score: 4, Informative

    Yes it does use outlook (the typhoid mary of the internet) to spread itself. I suggest you stick with windows as being a Linux administrator is a very lonely job. It is very much like being a Maytag repairman, nobody ever calls.

    --


    Got Code?
  5. It has a hidden payload, you FOOLS by Anonymous Coward · · Score: 3, Informative

    ripped straight from www.sophos.com:

    W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.

  6. Re:I don't get the joke... by Kredal · · Score: 3, Informative

    the s/foo/bar command will replace all instances of "foo" with "bar". In this example, it changes "this" to "their".

    --
    Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
  7. Get your facts straight... by JRHelgeson · · Score: 4, Informative
    The DDoS against SCO.com doesn't start until the infected machine is rebooted any time after February 1, 2004 at 00:00:01 and will continue until the machine is rebooted after February 12, 2004. At that point in time, the DDoS will stop and the infected host will keep its back door open - listening on ports 3127 to 3198 TCP (It only listens on one port, but if 3127 isn't available it'll listen on the next port on up the chain). Presumably, after 12 Feb, the infected machine will be used as a spam relay as the virus obviously has Message Transfer capabilities encoded within it.

    The graphs that are linked to in the /. story simply illustrate that SCO's shxt keeps on crashing - which is not really suprising after Darl had to fire the network admin to feed his Lawyer habit.

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
  8. Re:Something Doesn't Add Up by fishbert42 · · Score: 3, Informative

    ... there is no fscking point in sending the "you sent me a virus" panic mail.

    Actually, there is... but in sending an email to others who know your email address. For example, I got 3 messages yesterday which contained this virus. Now, from what I understand, this worm pulls email addresses from one's computer, and sticks those addresses in the 'from' field. One of those emails I received was "from" the United States Air Force Band's Singing Sergeants Yahoo Group. That's pretty specific, so I sent everyone I know (who runs windows) a message saying, basically, that if you know of the Singing Sergeants, or these few other email addresses, then it's likely you have this worm.

    Sending a "you gave me a virus" email to whomever is in the 'from' field is pretty useless, but the above tactic may prove helpful for this particular worm. At the very least, it lets other (possibly less-informed) folks know there's a worm about, and reminds them to practice good email usage (not opening unexpected attachments, etc.) and to update their anti-virus software.

  9. Meanwhile, for Postfix admins... by sunset · · Score: 4, Informative

    I just created and installed a Postfix remedy for this recent deluge, and thought I'd pass it on.

    In main.cf, insert this:

    body_checks=pcre:/etc/postfix/virus_body_checks

    Create a file virus_body_checks containing this:

    /^TVqQAAMAAAAEAAAA\/\/8AALg/ REJECT Microsoft executable attachments are not allowed here.
    /^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a virus.

    If anyone has an improved solution, let me know, but this seems to work.

    1. Re:Meanwhile, for Postfix admins... by TwinkieStix · · Score: 3, Informative

      I would have moderated this as informative, but I'm going to reply instead. We're going to take your idea and change it in two ways. First, it appears that the virus is forging the senders address, so we shouldn't reply to the message because it causes undue hysteria. Instead, we're going to simply send the virus to /dev/null with a procmail script after postfix gets the message:

      :0 B
      * ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
      /dev/null

      Does this work for everybody? We haven't gotten another e-mail since implimenting it.