Slashdot Mirror
MyDoom.C Making Its Way Across The Net
Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
What a stupid name for a virus. The writer must be planning to get caught.
My poor firewall logs, oh why does DoomJuice hate thee.
I would think that mydoom.c would be the source file, so it should be alot easier to reverse engineer.
./mydoom
gcc mydoom.c -o mydoom
Unknown host pong.
The original MyDoom proved that no matter how much we warn users not to run surprise executable attachments, they do any way. And also proved how many users aren't running any anti-virus at all.
Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio. Those machines by definition do not have an anti-virus program that's been updated recently enough to capture the original MyDoom virus, so DoomJuice will be able to walk in through the backdoor at port 3127 with nobody gaurding that door.
The author of MyDoom has basically created a network of zombies that he/she/it has full control of without the knowledge of any of the infected users. And now, this author has demonstrated the ability to send a patch-virus out with new updated instructions.
Right now, this patch seems to not have much of a payload. But, we don't know if we've seen its full payload yet, and there's certainly the possible of DoomJuice2 coming out with a worse payload.
To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.
So if it doesnt do the DOS or provide a backdoor, what does it do?
Wow, 666999 is a pretty kinky number if you ask me.. O_o
Uh, ok.. so what is on port 3127?
We are not all so nerdly that we memorize port tables... (emphasis on ALL)
Wouldn't it be nice if someone would write a virus that exploits the same RPC patch vulnerability as welchia and then starts DDOS ing Microsoft?
That way every time I forget to disconnect a freshly ghosted machine, Microsoft gets a nice little "Hi Mom!" message.
If you don't know what AltaVista is (was), get off my lawn.
This one seems to be more of an act of desperation. Maybe the writer thinks he's going to get caught soon?
Anyone infected by email virii should have their internet access revoked for being too damn stupid. Stop opening every fucking attachment you get, morons!
Did you happen to notice the part where it said This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127?
Just from the description in the /. blurb this seems to have a very different purpose from A and B. This seems like a script kiddie just for the hell of it kind of thing more than a spam tool.
"Sic Semper Tyrannosaurus Rex."
Does anyone know if it is slamming the msn messenger service as well? I havn't been able to connect to it recently, and it seems to be a network wide outage, since other people are having problems as well....
--
Apart from the fact that it uses the backdoor created by MyDoom to spread, it doesnt have enough in common with MyDoom to be a variant of it, which is probably why on the CNET link it only mentions the name Doomjuice.
The MyDoom.C name used in links such as the ABC one is probably for good headlines
Hence the name mydoom.c
Unknown host pong.
About the time the first version of this virus set sail, I noticed a huge spike in the number of Backdoor/Subseven probes against my firewall (still ongoing). Is this little bastard responsible for that, or is this caused by another issue altogether?
Be excellent to each other. And... PARTY ON, DUDES!
MyDoom.C's effects seem to already be felt. My girlfriend's been complaining that she can't get onto MSN all night, and sure enough messenger.msn.com is completely unresponsive, as was Hotmail a few hours ago (though, it seems to be up now). I wish I could just convince her to use Jabber.
But Maaa! Everyone else has a
I never understood why viruses/worms/whatever bother to include shutoff dates. "hum, I really hate SCO, so I'm going to DDoS them, but only for a few days" Why?
--I don't want the world, I just want your half.
This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines
It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.
This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.
Did you happen to notice the part where it said This new variant relies upon a backdoor left in place by the original email spread virus.
I'm not sure what to think about this: How many times can you tell people never to open attachments until you just give up and accept that a certain casualty rate is to be expected? (As a sidenote -- I party blame Netscape and other email proggies that send forwards or replies as attachments rather than as inline quoted text. This makes uses accustomed to opening attachments).
Well, that's it: it's officially time to save stupid computer users from their own ineptability.
The next variant of mydoom should close port 3127 and install a virus scanner on the hosts computer that automatically updates and scans in the background.
The internet is a minefield now-a-days.
I just tried to use it... couldn't connect. I tried a few times and gave up.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
After that article a couple of days ago about the hackers, I was wondering how new potential "script kiddies" would react... would they go in search of viruses and start sending them out, inspired by the article? Oh well, it doesn't matter. Now, for a horrible joke! What did the dog call the cat who was an amateur hacker? A script kitty! (sigh)
Are there any real applications that use port 3127, or can we safely block that port at our firewalls?
It attacks Microsoft without a shut off date?
... download a copy of this virus?
Sooo.. uhhh... where... can... I
I'll spread that mofo across my network like SETI@home.
ATTACK!
I'm sure we've learned enough by now to determine how this virus works to the point where we can create a worm of our own and disable it's DoS attacks. I for one believe enough is enough, and it would be ethically ok to go ahead and create such a worm. All we'd have to do is infect in the same way this new virus does, and run arbitrary code to destroy the virus. Thoughts?
...in bed
ReRead article.
This is a parasite that takes advantage of the infection created by the earlier virus. It looks for systems that are vulnerable as a result of the earlier infection, and copies itself to them.
Additionally it provides instructions to the part of the system that was infected that causes it to go out and perform the DOS on (at the moment) Microsoft's web site.
Functionally it appears to be a macro virus that takes advantage of the installed application that already exists. It only runs on those systems, but affects other systems as a designed side effect of the macro.
-Rusty
You never know...
That's what MyDoom.A was for and how it breaks in.
Write a virus that scans for open 3127 TCP Ports, get into the machine and remove MyDoom from it.
This virus counter-virus wouldn't cause the same problem than the SoBig counter-virus (can't remember the name, sorry) because this time it would spot only actual infected computers instead of every computer with an open RPC port.
Iraq: war to save the U
Aunt Bertha switches on her 2 GHz supercomputer, and hooks up to the Internet with a connection speed that would have rivaled an ISP in the early 1990's. She sees a pretty icon in her inbox, so she points and clicks, unleashing some spammer's latest mass-mailing creation. By the time Bertha goes and gets a triscut, she has already spammed a million Internet neighbours.
Anyone else see why the Internet is full of crap? And if you think it's as easy to control as "blocking port 25" ... ha ha. You wish! The worm only has to send mail via the ISP's outgoing mail server (remember... the one you reminded me "I should be using")
So no, controlling this spam/virus menace isn't quite that easy. Whatever method you use to legitimately send mail, the worms will follow that same method.
When CodeRed and CodeRed 2 came out, didn't someone design a Code Blue worm which infected CodeRed{2} boxens and patched them? Can't someone do the same here?
--
The last digit of pi is four.
I run OSX and my MSIM has not been able to contact the service for a few hours now. Not sure if this is related to MyDoom, but the MSIM service has been rather spotty the last couple days.
This is the perfect opportunity for someone to fix American Idol, by getting all those zombie computers to dial and vote for their favorite singers!
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Mydoom.A shut down the site of SCO, owner of the Unix operating system
:)
Bwahahahaaa!!! Hope they checked the rest of their facts better
Unlike MyDoom, which is exploiting Microsoft weaknesses, the interesting thing about Doomjuice and Deadhat (aka Vesser) is that they're scanning for the back doors left by MyDoom.A and MyDoom.B and using them to take over. The good news is that they're only attacking infected machines (and in a way that's easy to block), but the bad news is that parasites like these can add nasty payloads to viruses that were fast but not particularly nasty themselves. (That doesn't mean that these parasites have done that, but they can.) According to the article on F-Secure, Vesser / Deadhat turns off many kinds of anti-virus and firewall software, leaving the machine more vulnerable, and adding a backdoor of its own (but protecting it with crypto, which is the proper thing for an evil virus to do :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Anyone know if MyDoom's protocol for port 3127 is documented anywhere? If the virus writer can send it patches, then surely we can too :) We could have this mess cleaned up in a few days if we made the patch clean the machines. Not sure if cleaning people's machines without their permission is illegal, but itd sure make a lot of people grateful. If anyone does do it make sure to sign it as a gift from the opensource community so we look really good instead of the evil people that we've been made to be.
Regards,
Steve
Early articles had some speculation that it must have been written by the original author of Doomjuice. On the other hand, there are now two parasitic viruses out there (Doomjuice and Deadhat) taking over MyDoom-infected boxen, so it's probably easier than that security expert thought. And Deadhat (aka Vesser) kills off any anti-virus and firewall software it can find, leaving a properly encrypted backdoor for its own 0wner to use.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I hate picking on misspellings, but I just think that was funny! With my luck, I'll misspell something, too.
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
After MyDoom.c we can probably expect MyQuake.a, as well as a sequel MyQuake.b... and maybe even MyReturnToCastleWolfenstein.a Unfortunately MyDoom.3d will only run on the latest graphics cards and DirectX9 hardware... and will spend years in development. Andy better not be working at id
READY.
PRINT ""+-0
i just got an email from postmaster@bestbuy.com and it said the mydoom virus had been stripped from this email....not sure if yahoo stripped it or if it was stripped before it got to yahoo
I've said this before and will say it again.
The virus we need is one that changes the wallpaper on a Windows(tm) machine to a big crotch shot. It can't be that hard, maybe a simple registry key, or an ini file modification.
In light of the recent Janet Jackson breast fiasco, I think you'll agree that Jane and Joe Jackass End User need a little more exposure to such things so they won't get their knickers in a knot over such silly crap.
Thanks.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
But I kind of have to snicker at the fact that thousands of machines running software that Microsoft didn't care to make secure at all is now attacking them back. There's a certain poetic charm about that. But of course we all know that there's a special seat reserved in Hell specially for the guy who wrote this. He will be forced to use Windows RG until the day Hell Freezes over. (Then the computer will die, leaving him all alone.)
But seriously, might this turn of events make Microsoft think twice about releasing an OS that has more security holes than a truckload of swiss cheese?
PS: Anyone else have trouble logging in with the new release of FireFox?
Microsoft is already scrambling to inform users to stop hammering their servers!
Several people report that it seems it might be affecting MSN servers?
[alk]
I don't think he'll get caught anytime soon. One of the writers, if there is more than one, were attacking SCO. I don't think there are many people out there who are all these things:
.NET calls their own stupid abstraction).
1) smart enough to write a windows virus
2) BIG linux advocate
and most importantly...
3) stupid enough to get caught.
Not that it takes a rocket scientiest to write a windows virus, but this particular one does take some knowledge of how to use sockets (or whatever C# or
In any event, most people who know how to do this have at least heard of ways to cover your tracks. Like hopping from rooted box to rooted box 20 times and writing self destruct codes that formats the disks of all those machines. If they didn't do something along those lines, then they deserve to get caught because they're a threat to our community! Just kidding.
Awww, but it said "I Love You."
How could it be harmful if it says "I love you"?
Does this have anything to do with the fact that MSN Messenger isn't working, nor is the messenger.msn.com site? I could just be speculating... but MSN Messenger went down without notice a few hours ago. Microsoft could be "not telling us everything" regarding server issues... or they could just be screwed up like usual :D
Microsoft is dying.
This sort of thing already came up with the last couple rounds of email-borne virii.
It's not necessarily such a great idea, because among other things, one mistake/bug/oversight in the "patch" - and you could start doing damage as bad as or worse than the virus you're attempting to remove. By definition, this "virus fix" would have to be treated as a virus by the anti-virus software authors too. (If it's making changes to PCs without their owners' permission, no matter what the motive, it's viral code, by definition.)
Depending on how "on top of things" the virus author is, there's also a possibility of a new variant being released that would respond in a very nasty way to attempts to disinfect via the circulating "patch".
Whoa there baby... lest you forget what happened with Blaster last year? Someone wrote Welchia - which had a _very very very agressive_ ICMP scanning technique which brought many networks to its knees.
The univerisity I work at still has ICMP disabled because of Welchia.
I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.
Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.
This scales particularly well for this application, because the big source of infections was Outlook, which is used in corporate email environments, so corporate firewalls are the right boundary. There's probably some amount of Outlook Express infection, which is a problem for consumer-oriented ISPs, but it's mostly a corporate problem.
Also, running the thing as a sysadmin-controlled port scanner means that you can tailor the payload to pop up a dialog box saying "Hey, Stupid, You clicked on the MyDoom Virus and got yourself infected, call the Help Desk at 1-555-555-31337 to get your machine cleaned up"
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"And in international news, a new virus called W32.thisvirus.A@mm is infecting it's way through email. . ."
We can't give users restricted accounts becasue it stops them from doing things like installing valid software. But don't you think it is time we took steps to sandbox the email applications?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Well, I've seen it reveresed engineered, so you should be able to do that too. Really easy, Wine runs it just fine, and gives you some powerful debuggers and logging tools to help. (Make sure this machine is firewalled off though so you don't contribute to the DOS attacks in progress)
I'm not going into farther detail because if I did tell you how (which I can't because I've forgotten the details, but we figured them out so you can too) and you were a script kiddie it would be trivial to write whatever program you want and cause more trouble. An honest hacker would have no problem getting the details, so I can safely assume that you wouldn't write this anyway so you don't need to know. (Either you are too lazy to do it, or you don't know how)
Doesn't "Andy" realize that by including the source code to MyDoom.A, he also helps the cops track him down? It's almost like writing a blackmail with a pencil instead of letters from various news papers... His coding style is included in the source code which the police is now of course very happy about.
was posted right here a while back. Googling for SubSeven and disassembly turned it up.
C|N>K
For a company/university/personal firewall, yes, it should usually be blocking any inbound traffic that's not understood. ISPs have a much different type of user base - they should be allowing the end-to-end Internet to work, staying open to any protocols that they don't have a very good reason to block. Temporarily blocking 3127 or 1434 or whatever is often necessary if there's a big outbreak, and there are some ISPs that restrict Port 25 because they're trying to prevent their users from spamming - but as a home Linux user, I find that rude and wouldn't use such an ISP for normal activities.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I own two Macs, so don't take this as a troll, please.
Right now, Macs are feeling the effects of this virus, too; it's slowing down internet connections for ALL platforms thanks to the fact that it's indiscriminately flooding networks with "noise" in trying to find other machines with the MyDoom-opened port. To my knowledge, it doesn't stop searching, either.
And a "counter-virus" would only make things worse. Sure, you eventually stop the original worm(s), but you also do more damage and risk opening up a can of worms in doing so. Not only is YOUR "counter-virus" going to add to the network congestion, but it may well become a problem itself if it's not written just right. In other words, the cure might be worse than the disease.
For the short term, we need an education campaign. Teach the standard (and sub-standard) users of the world how to identify a virus, how to prevent getting infected, and why they should care. As the old saying goes, "you can give a man a fish, and feed him for a day, or you can teach a man to fish and feed him for a lifetime."
~UP
Eat the Path.
Comment removed based on user account deletion
Doomjuice distributes source code for MyDoom.A
Making this one of the first high-profile open-source viruses?
<zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>
...and think that the source to Doom III had been leaked?
Comment removed based on user account deletion
Unfortunately, this sequel of the worm is spreading the sources, too... There are some ironic commentaries in the code like: What's the bug about "75% failures"? and even a readme file indicating that it can't be compiled under MSVC .NET
Mayfoev [Damn Frenchy]
How is the parent post offtopic? I found it interesting and relevant..
-raph
No, Doomjuice is an open sores virus, as it utilizes an open sore (that is, port 3127) left by MyDoom.A to get in.
Will I retire or break 10K?
I was fascinated by the zombifying worms, spreading across the internet making unsuspecting hosts into proxy spam servers, but now I'm beginning to wonder if worm harvesters will have to be written and (by mutual agreement) released onto the net. I still get code red droping by all the time (it can have my default.ida, for all I care; I'm through with it), and new kiddies write them at such an increasing pace that one New York Times article about worms recently needed two slashdot articles by the time it was posted. Might they start (at some point in the future) to actually start to "clog" the internet? Hell, they already do; the network where I work was brought to a crawl more than once over the last year because of them (and the idiots who administer the network, but that's another rant). Anyway, when worms constitute more than 50% of the traffic more than 50% of the time, some regulatory body is going to propose spidering worm-eaters. It'll be like "core wars" all over again (everything comes full circle sooner or later).
grammar-lesson free since 1999. (rescinded - 2005)
The MyDoom API is documented in RFC 3128. You can also look at the javadocs. It's all in there.
At least we are years away from MyDuke.nukem.forever. This will give al the anti-virus companies a chance to prepare, althogh it will be a primitive virus, obsolete before it comes out.
A Microsoft spokesman said Monday that any performance problems on the company's site are likely related to countermeasures the company took to evade the MyDoom.B DDoS attack and not an attack from machines infected with the latest variant."
So in other words, to prevent MyDoom from DDoSing Microsoft's website, Microsoft decides to DDoS themselves instead. What a wonderful world!
Carpe Diem: Seize The Day!
If (you == girl) {
_never_had_boyfriend(you);
} else {
never_had_girlfriend(you);
}
Help fight continental drift.
indeed.
and another point why internet voting just wont work...how many machines have other backdoors on them aside from this mydoom crap....i'm willing to say that's the number is more than that infected by mydoom alone.
you make MacAffe's and Norton's work easy. This time, they only had to edit someone else's virus to keep themselves in business. Seriously, though, haven't you ever wondered if they pay to have some of these things written so that they can make money off of the ensuing paranoia?
"The best laid plans of mice and men gang oft agley..." - ROBERT BURNS
This isn't flamebait, it's insightful. All these viruses are spread entirely through complete and utter stupidity.
We need to start blocking these fucking retards off the internet until they grow a brain.
the do as I did, use an outlook express rule to "delete from server" then you never get to see them, better than a client side rule.
cheers
First Half Life 2, now the C source of Doom 3 is out in the wild... Damn, now we'll never see these games.
Spammer: ....
1. Spread a virus opening backdoor in infected systems
2. Send spam trough these backdoors
3.
4. Profit!
Geek:
1. Spread a virus opening backdoor in infected systems
2. Install seti@home clients trough these backdoors
3...
4. Fun!
It seems to me that there should be more viruses that target offshoring and tech visa organizations. Not that I condone such, but if the attacks reflect issues that piss off techies in general, then a dying IT market should rank right up there.
So any bets WHEN the 2^16 (65536th) virus will be found?
But it said "I love you!" !!! ;)
suteki!
I use popfile.. i dont do automatic deletion for anything, even viruses.. in order for popfile to filter it, it has to download it
Anyone have a copy of the source code? (Probably some of you out there with infected machines ;) The file is sync-src-1.00.tbz Can someone mirror it? Thanks!
Actualy, if more ISPs blocked egress port 25 traffic, these types of viruses (that use their own SMTP engine) would not have been an issue in the first place. Leaving port 25 open is a bad idea for ISPs, and a bad idea for businesses that have computers on the internet.
I party blame Netscape and other email proggies that send forwards or replies as attachments rather than as inline quoted text
Yes, but you can turn that off. Evolution did that. Turning it off was one of the first things I did.
Educating the "general user" about virii has come a good way, but some people still need some lessons. Sadly, I think the great majority of users that still spread these viruses are simply negligent (they know better but really don't care). Maybe I'm too techsupport-bitter.
I've been having trouble connecting to it since the middle of last week. And I work for MS! So what's the official answer? Dunno, it's MSN's baby.
Cthulhu loves you.
Cable and DSL companies will give out a nice little hardware firewall ala Linksys or Netgear along with their cable/dsl modems. Hell, Toshiba even makes a cable modem with a built in 4 port switch/firewall. Giving these users a broadband connection and no education on the dangers of the internet is like giving a Ferrari to someone who can't drive.
I know the ISP isn't untimately responsible for their users actions, but they'd be doing themselves a big favor by eliminating most of that traffic. During the heyday of the Blaster virus I was getting a few port 53 requests per second from infected machines on Verizon's dsl...that's quite an additional load on their network.
slashdot, news for crazed liberal socialist zealots
How about MyWindows.xp?
Actually Microsoft should be advertising the fact that it is the best OS on the planet for virus development and deployment. It would look good on the Windows vs Linux propaganda.
Hey, I have a great idea. Why not use this open port on the infected MyDoom boxes to propogate a virus which is set to automatically remove MyDoom and then remove itself several days after infection? It would be a great way to "patch" all these compromised boxes.
That being said, I wonder what the legality of this benevolent virus would be. Could the author of the virus safely step forward and make his name known?
I heard Romero has been working on the MyDaikatana.a worm for the past five years. Unfortunately, he released it into the wild and nobody noticed; it apparently couldnt spread.
Manipulate the moderator system! Mod someone as "overrated" today.
Yeah, apparently certain IP addresses or subnets were on the Welchia slam list - a web site of mine got moved to a new IP address and I started seeing all sorts of weird HTTP traffic. Apparently the IP address I was moved to was on a Welchia list of some sort, and every two or three days lots and lots of Welchia infected hosts would send a packet my way. The result was about a thousand spurious connnections a day wasting a modest amount of bandwidth and totally screwing up our site statistics until we figured out how to block these particular requests.
What if someone wrote a virus to target Macs? There are literally hundreds, if not thousands, of people using Mac's these days and many of them are connected to the Internet. A Mac virus of the MyDoom type could cause a pretty big problem somewhere like an art school or a large interior decorating firm. Just something to think about...
msn has been down the better part of the day, or is it yet something else microsoft can't get right?
The verus writter (Andy) had a great and original idea with the viruses. He released 2 viruses whose only point was to spread as fast as they could and open a backdoor, with the smoke screen of DOSing MS and SCO, but no real damage to the computers. Now comes along C, I don't see it doing any damage other than slowing down internet, but imagine if it did. It can spread quite fast through the backdoor left by very fast first two viruses.
Cheers,
RoadkillBunny
I'm no Microsoft supporter but you can not blame them for this one. Someone had to install a program (virus) to become infected. The spread of this virus and its variants are a result of ignorant computer users who happen to be on the Windows platform.
Blaster on the other hand was a result of a security flaw in Windows.
It turns out the only scans for 3127 I'm getting are from my ISP. My firewall log shows they appear to be scanning all of 312x. At least I don't have to worry about securing my machine now. It looks like they've got it covered.
Shadows on the road behind, shadows on the road ahead...
Hey guys, I just heard from a guy who got infected by the romero.a worm that MyDaikatana is supposed to make us its bitch in 2005. Although the romero.b, .c and .d variations claim the same thing for 2006, 2007 and 2008, respectively.
Mr. T pitied this fool on 27 July 1992.
MOD PARENT FUNNY
Netcraft is confirming this virus is having an impact on MS's website. However you feel about the company, that's news.
Anyone using the word virii should have their internet access revoked for being too damn stupid. Stop using madeup nonwords, morons!
Why is it just the individual user's responsibility for firewalling their system? Shouldn't ISP help a little by steping up and blocking some of the effect ports during these times of crisis? Why weren't more ISPs just outright refusing to send or accept traffice on port 53 during Blaster? Is it because *gasp* they and telecos get paid on bandwidth usage?!
Yes it is the individual user's repsonsiblity to keep their computer neat and tidy like one keeps their home and property tidy to prevent fires. However if a home does catch on fire you bet the city is going to step in if not to protect you but to protect other's property. Why are ISPs letting so many "fires" run rampant?
Why would an SCO exec be living on Front Street in Philly? BTW, does everyone still street race on Front Street? I haven't been there in over a decade.
What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.
The writeup from Symantec is here.
-R
Some people were reporting lack of service in MSN messenger service. It seems msn messenger is back up. And that's with Kopete.
---
"There is always some madness in love. But there is also always some reason in madness."- Friedrich Nietzsche
Anyone who writes this would probably be accused of writing the original virus. As an added bonus, if the writer is a U.S. citizen, the terrorist enhancement would apply, and this means he or she might accept a plea regardless of guilt.
but I'll have to look it up and that might take a couple days. I'd recommend checking this thread once or twice a day for the next couple weeks so you'll know when I've found it.
You misspelled "dumbasses". (MyDoom doesn't exploit software weaknesses but idiot users who click on everything that looks like it could make funny noises when clicked.)
Free as in mason.
If you have seen the source code, the programmer doesn't use the standard Windows (hungarian) notation. His coding style is more of a unix/linux programmer. Today SCO will use this as evidence that a linux programmer wrote the virus... There's a picture of parts of the code here if you don't have the source code.
Next thing you know, we'll see this on Windows Update:
MyDoom.C - A critical update for the MyDoom virus is now available. This update fixes the flaw that prevented infected machines from launching DOS attacks at microsoft.com past the expiry date. Install this update if you need microsoft.com DOSing capabilities.
There are $69.99 routers with firewalls at Futureshop. There is no excuse for people to have any IP ports just open. It's getting stupid.
Spend the money.....
Subject: Clickety-click!
Attachment:clickety.exe
Text:
Yeah, you know, the files you axed me for.
<SmallerFont>
By starting the attached file, you agree to: A) have remote administration software installed on your computer, B) allow that remote administration software to replicate to other computers as well, C) have a mail relay installed on your computer, D) have software that might conflict with the remote administration software (e.g. anti-virus software) disabled, E) you're not reading this anymore, are you? F) have updates to the remote administration software automatically installed, G) this text is so boring, H) even if that updates fundamentally alter the functionality of the software (e.g. DDOS the shit out of macrohard.com or dashslot.org) I) why not check out the nice file i sent you instead. J) you agree to never sue the author or distributor of this remote administration software for anything. K) no, really. the file is so nice - maybe it even makes funny sounds when you click it? L) neither anyone who uses your computer to send electronic mail, no matter what quantity or content.
</SmallerFont>
We all know, nobody reads those EULAs
Free as in mason.
"you can give a man a fish, and feed him for a day, or you can teach a man to fish and feed him for a lifetime."
..."or you can give him a drift-net and he can wipe out all the frickin fish in the ocean... and then complain about all the fish being gone."
(probably closer to what we've got here)
Interactive Visual Medical Dictionary
MyDukeNukeMForever.A
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
From Internet Storm Center (emphasis mine):
A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.
Their called Mac's. Oh, sure, there's some Linux workstations peppered about. Mostly for the zealots, but of course some test beds with the neophite type users.
... AutoCAD (which is the only version of Windows left deployed -- 98se is gone, WFW3.11 is long gone and XP never saw the light of day thank goodness!)
:) and Mac's as available.
:). Go ahead and bring your [Windows] laptop in -- here's a port. Virus infected won't even touch the ISP much less my Linux boxes, Powerbook [wife ;], or the beloved PowerMac. Great for testing before rolling it out anywhere... :)
... you pretty much come up with iLife. [no, i do NOT work for Apple, I just happen to also dig my iPod ;*]
The ONLY thing that Win2K anymore is
Ironically I've been more than happy to supply feedback to AutoDesk with regards to their OS X flavored version in development. Started on the Mac, may end up back there again. YEAH!
Otherwise -- we're seriously exploring all alternatives for 3D CAD residential and commercial building, surveying, and landscaping type design which is where the majority of my clients needs fall. Some mechanical which were are the first to want to play with the Linux (old Windows boxes
Heck, the network have been segmented, physically and logically at the switches in the computer rooms. "Windows" and "Everybody else". When traffic goes nuts (somebody brought a virus riddled laptop in and hit the network somewhere) -- the switches will auto-shutdown the Windows segments. I've even happily supplied network jacks at open desks, lunch room, break rooms, warehouse, etc -- they all go to a secondary (yet sub-segmented) switch bank.
ISP complaints when it _does_ happen inside? -0- the problem can take care of itself. On a lower level I've done the same thing at home with a little help from, what is it this year?, iptables (I was still thinking chains and miss just fw
Word Processing, Spreadsheets, pick a graphic format, pick a video format, pick a sound format -- put it all together and mix it up a bit
Bah, Microsoft.
How can you blame users for opening attachments or expect them not to? People regularly attach stuff to their e-mails that cannot be embedded inline, like spreadsheet reports, images, word processing documents, etc., etc. Given that a worm e-mail is likely to come from a source you know and "trust" like your friends or co-workers asking the recipient to look at the attachment, it is natural to expect that significant number of users will try to open the attachment.
How about asking Microsoft to not let its mail clients execute attachments? Given there are no execute permissions on Windows filesystems, when the mail client is asked to open an executable attachment, it should ask the user to save the file while displaying a visible warning that file being saved is an executable and running it may not be safe.
do we have to wait for myDoom.z to come out before we start on numbers? i'm still waiting for myDoom 3 to finally get released over here ;)
how about MS-Doom????
----
so many dreams r swinging out of the blue we let them come true (forever young, alphavile)
Put your stuff back up. I get tons of spam to the e-mail addresses posted on my corporate website but I'm not about to give up, you shouldn't either. Also, be selective about where you put e-mail addresses on web pages or use special e-mail addresses such as sales@ for that kind of stuff.
Just look at it this way; they can only flood us with penis e-mails for so long before nobody is willing to buy their crap anymore.
People just need to understand that e-mail is not a file transfer mechanism. If they want they can put a URL in the e-mail pointing to their file but then you have some kind of accountability at least (and web browsers should not download executable files without a fuss too).
There is almost no reason why anybody would need to send anybody else executable code. And for the one rare instance where I have had to send an executable to a windows user (a demo of my software) I found it dfficult as it is the user had to be instructed how to save and then execute it.
Virus-writers don't get to name their viruses, the anti-virus companies do that.
Well you seem to be making one mistake....
The virus writers ARE the anti-virus companies!
1) Write a virus with a cool name.
2) Sell it to the anti-virus companies.
3) ?????
4) PROFIT!!!
The good news is that they're only attacking infected machines (and in a way that's easy to block), but the bad news is that parasites like these can add nasty payloads to viruses that were fast but not particularly nasty themselves.
And this is potentially a big kicker... a fast spreading virus that does little apparent damage may not attract such an immediate response, thereby allowing it to spread further. Following this up with a worm with a nasty payload could have major consequences. Separating the means of infection and the payload could be a very clever evolution to make infections that much harder to manage.
What? Geeks who read Slashdot actually have romance in their life?
Thats it! I'm suing OSDN for damages relating to the loss of my social life! I'll see you in court, Rob!
1. Spread a virus opening backdoor in infected systems
2. Send spam trough these backdoors
3.
4. Profit!
Geek:
1. Spread a virus opening backdoor in infected systems
2. Install seti@home clients trough these backdoors
3...
4. Fun!
Slashdot Troll:
1. Spread a virus opening backdoor in infected systems.
2. Change users home page in IE to www.tubgirl.com
3....
4. Fun!
-or-
1. Spread a virus opening backdoor in infected systems. /. to get in a first post.
2. Make infected systems slam
3....
4. Fame!
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
User Friendly I love you.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
used for HTTP connections. fuck me and u'all call urself tech guys?
I questioned the 50,000 to 75,000 number as it seemed totally bogus and unrelated to the number of source IPs I'm seeing scanning my two class Cs. How can I see 10-15 different source IPs every 5-10 minutes if only 50,000 computers are infected worldwide?
ISC and dshield are showing the number of sources scanning port 3127 building up at an alarming rate. The number of sources seems to be increasing by about 2000 every 10 minutes, which is much more in line with the number of sources I'm seeing scanning my backwater.
So when might they come out with a MyDoom that targets spammers' websites?
Not that I'm trying to give anyone ideas for something like that. Mercy, no! Shame on you for even thinking that!
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
Perhaps, but depending on how you execute this, you'd be walking a fine line between being a good samaritan and being the script kiddie who is causing even more network congestion as your "good" virus propagates.
Anyway, this would still be focusing on the symptoms of the virus instead of the cause.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
sounds like these could apply to unix-family systems also, what with plausible commands such as:
cc -o MyDoom MyDoom.c
cc -o MyQuake MyQuake.c
Time to rein in the compilers? Somebody's gotta work hard to make the FORTRAN variant MyDoom.f
SIGBUS @ NO-07.308
Ever noticed that vir.us is owned by a certain McBride? Coincidence?
cpghost at Cordula's Web.
Anyone got a good SpamAssassin or procmail rule to filter out the backscatter?
I couldn't care less if it weren't for the flood of "you sent us an infected mail" spam that has been flooding my inbox for days because some stupid morons don't know that auto-notifications on virus scanners should be smashes, crucified, cooked in hot oil and quartered before being shot through the head with a shotgun because all the recent viruses fake the damn sender address.
Assorted stuff I do sometimes: Lemuria.org
but its TRUE, Microsoft has conducted some new promisising studies that show their software's security vulnerabilities seem to be iversely proportionate to the number of security analysts they employ. In a bold move, they plan to cut that department's workforce by 2/3 hoping that the trend continues.
:)
hi flamingweasel, this is one of those analogies i spoke of earlier
For the lazy/short-attention-span/ADDHD, here's a quick link to:
Screen shot of MyDoom.A source code (160 KB GIF).
Fucking unfunny crap. God you saps are easy.
so now that we have the source code, as soon that the author is caught will SCO sue it for using some of their IP?
http://mail-abuse.org/dul/
The Dial-up user list.
Mail sent directly from a dial-up ip can be canned at the mail gateway.
Not free tho.
Used in conjuction with a decent email virus scanner for legitimate mail should give pretty good protection against email born viruses.
From a business point of view I use www.messagelabs.com for virus and spam filtering.
In the 3 years we've used them no email bourne virus has passed their scanners and reached our systems.
Worst
What's anti-virus software? I can't find that anywhere on my Mac.
Oh, wait, I just answered my own question.
I'll take two!
At first I was wondering why my Portsentry wasn't going crazy throwing IPs into my firewall as "-j DROP", but then it occured to me that my ISP (NOOS France) was probably blocking the port way upstream.
Are most other ISPs finally taking the matter into their own hands?
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
someone at eweek might see you!
Nice work if you can get it, eh? Well, it's damaging to society to reward the inefficiency and arrogance of the antivirus companies when the national interest is at stake.
What to do? Regulate. Regulate Microsoft, and regulate the AV companies. If Ballmer protests, throw him in Guantanamo Bay. (But if he agrees to place nice and do the monkey boy dance in a TV spot advocating the new regulation, let him out.)
As the fields of energy and accounting have amply demonstrated in recent years, you really don't want to leave anything that's critical to the national infrastructure up to the whims of bean counters. Their self-interest will always lead them to sacrifice the common good, and today the safe network is the very essence of the common good. People are imperfect, true; but our problems are exacerbated because the profit motive has been put ahead of common sense.
i installed Kerio personal firewall
on all my compis.
then i did a portscan on to all
the maschines ("cbps.exe" from www.bluebitter.de)
the firewall will pop-up and alert that
there's a incoming cnnection.
i told the firewall to create a rule and
block the port(s) (incoming and outgoing)
permanentally.
also don't not surf as ROOT/ADMIN.
if you catch the worm as a normal user
your account won't have enough privileges
to write to "%SYSTEMROOT"
i'm not infected. works for me.
all this worm business really shows
how many people have NO CLUE about
computers. i just hope marketing isn't going
to base their next product on the likes
of these people, or we'll have a one button
computer in a few years time (but then again
prolly the guy infected is a guy working
in marketing *yawn*)
For this Mydoom worm at least, why not have the ISP have a box that listens for traffic likely to be caused by a worm and then install a counter non worm. That is a program that exploits the hole, fixes it, then deletes itself. It'd more than pay for itself in bandwidth and hassle saved. A similar sort of thing could be built into mailservers, where virus laden e-mails as well as being blocked could be responded to with a patch. Of course there is an issue of trust, maybe, although slightly dangerously, there could be some cryptographic mechanism built into e-mail clients to allow code to just be run automatically. I understand there are abuse issues with this, not just cracking of the key, but abuse by those who have access to it. In a situation where you have a huge body of mostly ignorant users who seem unwilling or too scared to learn then it seems you're not given a lot of choice.
There is an alternative to this of course, educate the users. When the internet and broadband start coming into play, ignorant users start to cause serious problems for everyone else. And when the majority of users are ignorant as they are now. Well we see what happens. How about a mandatory broadband driving test. It took a while for people to realise that untrained drivers shouldn't hurtle about the streets and as networks become vital economic infrastructure allowing untrained users to hurtle about them is just as dangerous. The test need not be hard, maybe there could be small tests to lift bars. A level of understanding to be given access to SMTP/IMAP, another level of understanding to have your inbound ports unfirewalled (what percentage of users would notice if you firewalled all their inbound ports anyway? Those that do should be able to pass the test anyway) etc. etc. That's the true solution to this problem. Start teaching kids the important things in school now, I remember IT classes being pathetic. The most important skill is to learn how to keep learning, and not to fear technology.
Is there anyone that has posted a copy of sync-src-1.00.tbz?
Am i the only one that finds the einstein icon not the appropriate to this subject?
One can imagine a future in which such "vigilante" retribution towards companies that are generally perceived to be behaving badly is a significant factor in determining corporate policy.
i.e. Well, if we do , the courts will let us, but the virus community will hit us hard on release day, with consequent profit losses from failed registrations.
That's nothing comparing to the upcoming MyDukeNukemForever. You will see!
I'm also seeing a large rise in connection attempts on 3128 as well - at least as many (if not more) than 3127. Anybody else seeing this?
Logs say it started two weekends ago but really took off on the 9th. Among the first sites that hit me:
a rpa domain name pointer den-29-a-218.den.dsl.cerfnet.com.. in-addr.arpa domain name pointer raq121.servercity.co.uk.p a domain name pointer 66-74-196-46.san.rr.com.r pa domain name pointer fl-wbu1-c5-200-213.pbc.adelphia.net.5 2 not found: 3(NXDOMAIN)
91.172.192.140.in-addr.arpa domain name pointer st02_091.dorm.depaul.edu.
218.24.242.63.in-addr.
63.136.205.217
46.196.74.66.in-addr.ar
213.200.51.24.in-addr.a
217.42.145.
50.21.68.67.in-addr.arpa domain name pointer Toronto-HSE-ppp3729241.sympatico.ca.
My Doom was the day I installed Windows.
Blessed be thy name, M. Gates!
Is that so?
virus
n 1: (virology) ultramicroscopic infectious agent that replicates
itself only within cells of living hosts; many are
pathogenic; a piece of nucleic acid (DNA or RNA) wrapped
in a thin coat of protein
2: a harmful or corrupting agency; "bigotry is a virus that
must not be allowed to spread"; "the virus of jealousy is
latent in everyone"
3: a software program capable of reproducing itself and usually
capable of causing great harm to files or other programs
on the same computer; "a true virus cannot spread to
another computer without human assistance" [syn: computer
virus]
I don't see your "definition" in there. Just to let you know, you're talking out of the wrong hole.
>don't you think it is time we took steps to sandbox the email applications?
Why hasn't it been done already? An email client program doesn't need to install arbitrary software on the system and turn off antivirus software, so it's elementary security design that it shouldn't have the power.
>we need an education campaign.
Don't get me wrong, the long-term solution has to include people getting more "street smart" about their email.
But the industrial safety engineers have been dealing with questions like this for decades and have something to teach us. If you really want to prevent accidents, you won't get very far telling the workers "be more careful" or "follow the rule book". You have to remove or reduce hazards if possible, and always give the workers accurate information about what's happening. If the valves are unlabeled and arranged in some random order, eventually someone *will* turn the wrong one.
Right now we have a huge and unnecessary hazard, namely email client programs that can execute general-purpose computer programs from untrusted sources. We also have a problem analogous to unlabeled valves. Email client programs have been training people every day to double-click attachments.
Idiot users AND idiot OS builders who allow idiot users to install mail servers without a password. Serves'em right.
Who has named it as mydoom.c?, Symantec? .c, besides as .c
The one who did was obviously a vb coder, you can't name anything
WTF am I doing replying to an AC at 5 A.M on a Friday night?
You imply that consumers have actively chosen a particular virus protection, but in reality, every PC vendor supplies an Anti-virus that has a subscription that lasts anywhere from 30-60 days.
Some people may choose to upgrade the definition at the end of that time, but more likely they ignore it.
So its really a cost-cutting measure from Dell, HP, et al at not supplying a 1-2 year subscription, and the virus companies are guilty for overpricing their subscriptions.
Frankly, I rarely use anti-virus, but I manage not to click stuff sent to me via email. I used to just get warez'd verions of Norton, but with AVG being free for personal use, I don't bother.
Oh, one last thing; running anti-virus constantly slows down your PC significantly; I suggest to people their never turn off their PC and schedule a full scan every night at about 2AM.
When I submitted the same story last night (and was rejected, by the way - has anyone noticed that the slashdot moderators are getting even MORE capricious and arbitrary?) , there was a mention that part of the payload includes the source code (Visual Basic, apparently) to the worm. This should be fun - all sorts of people who wouldn't know how to write a worm now have the source for 'the fastest spreading worm ever'. I predict that ISP level virus monitoring and blocking is less than a year away.
ctx-bridge 3127/tcp CTX Bridge Port
;-)
ctx-bridge 3127/udp CTX Bridge Port
Alexander Dubrovsky (dubrovsky_alex@emc.com)
This is the listing for p3127 - wouldn't it be funny if alex dubrovsky was involved
What was CTX bridge anyway? I can't remember or don't know........
spoonerize "magic trackpad"
No, "we" can't. The backdoor that doomjuice installs will only accept signed executables.
Oh no the latest virus is going to get me! I haven't received enough of my daily dose of FUD. Does anyone know where I can find CNN's homepage?
Michael Jackson? in order to implicate a mysterious clan of coders as the real perpetrators?
It gives your the source code, eh? Maybe they just want to be sued by SCO for releasing "proprietary" code as GPL.
The source code .tbz is available in eMule now. Just search for the file
.exe format.
"sync-src-1.00.tbz"
If you feel cocky, you can try to intercept a virus payload by listening on port 3127. You don't need to send any initiating message to the zombie connecting to you, just recv() everything is sends you. The payload should be in
...That the image of Einstein on the Slashdot header for this article isn't really an image of Einstein. Noooo, not at all. It's actually a composite representation of what SysAdmins worldwide look like after they get through battling Yet Another Worm, applying the Redmond Empire's Patch(es)-of-the-Month, reminding Clueless (L)users not to click on the pretty executable that came in their E-mail... well, you get the idea...
Bruce Lane, KC7GR,
Blue Feather Technologies
My girlfriend's been complaining that she can't get onto MSN all night, and sure enough messenger.msn.com is completely unresponsive, as was Hotmail a few hours ago (though, it seems to be up now). I wish I could just convince her to use Jabber.
Yes. That's exactly what I'd be trying to convince her to do for me.
"Hello,
due to inherent security of your box, this worm operates on the honor system:
Please forward this email to all your friends and then delete all your files.
Thank you."
Isn't it obvious why MyDoom.C was released? The intricacy makes it fairly apparent that its either the original author or someone connected with it. Why would they release another variant of their own tool?
After the release of MyDoom.A, there was more than a little speculation that the true hidden purpose of these e-mail worms was to spawn a network of zombied PCs to use for spamming. The 'A' version made it a little too obvious, even with the included red herrings of DoS attacks against SCO and MS. Uh oh. And now Mr. Spammer is getting a little antsy -- has the FBI made the same connection many in the infosec scene have? Uh oh. Time to cover your tracks.
What better way to do that than to release another version of your virus that throws all the investigations off the trail, looking for some OSS Loving Blackhat who'd want to DoS SCO instead of the criminal head of a spam gang trying to enlarge his empire?
And before anyone suggests I put on a tin foil hat...go gather some statistics. Specifically, make a chart of the release of e-mail worms, and another chart of the accuracy-rate of DNSBLs. You'll see, as I did, that as DNSBL accuracy reaches 100% (they contain all currently-zombied hosts), boom, out comes another e-mail worm. The release of MyDoom seems to have gone off poorly -- admins received warning and were prepared, not very many machines (relatively) were infected, and a lot of attention from the infosec community was directed at the source of the releases. I'm sure purely by coincidence, my DNSBL hit rate remains high, and spams by a certain well known individual who I believe to be responsible for this don't seem to be coming at nearly the volume one would expect from such a prolific scumbag.
...and it is amazing that even more exploits have not used them.
Wake up call, American Corperations ALREADY decide the president! Big Oil and the Entertainment industry just take turns picking the prez and the rest of congress. ;-)
Close, but no cigar. Hold onto your tinfoil hat!
The real masters of the US are organized crime. Has been so since at least the Nixon-Kennedy election, where both candidates had major mob ties. (And the winner put his brother in as Attorney General, who immediately started a "war on organized crime", using family info to turn the justice department into an enforcer for HIS family attacking its rivals. Possibly the reason both of them were hit.)
Most blatant in recent times was Clinton. I mean come ON! A former governor of Arkansas? Where the whole STATE is run by the branch of the mob that cooled off there from NY whenever things got too hot in the Apple? You don't GET to be governor there unless you're a high boss. Drug running in Mena just for starters. Selling jail-derived blood products to Canada (profiting while spreading AIDS). Turning state police into mistress recruiters. An AMAZING series of inconvenient people dying in airplane crashes. And look at the level of disrespect for all aspects of law-n-order (and suspicious deaths) at all levels of the administration once they went national.
The main effect of the Drug War is to provide price supports and upstart suppression to the large, organized, drug cartels. Gun control (starting with the Sullivan Act) provides victim disarmament, while leaving the crooks armed. Especially convenient for the drug gangs, who don't lose as many of their customers while they're out collecting the cost of the next doses.
Of course that doesn't mean we're that far apart. The entertainment industry, like the casino gambling industry (which they now run, by the way) both arose out of organized crime. The RIAA connection grew from the jukebox protection rackets, and first showed in broadcast during the payola scandals. Meanwhile, lots of mob organizations have laundered their gains and hopped into legitimate business endeavors (often corrupting them in the process. Old habits die hard, and criminal behavior can give a company a competitive edge.)
Thus the RICO act - a dismal failure - attempting to go after the ill-gotten gains laundered into non-criminal enterprise. But RICO was also turned. Now it provides a corrupting influence on the police - giving them a financial incentive to ignore crime and turn to oppression-for-profit, and giving gang-corrupted police departments a weapon to use against rival gangs.
(See? My hat provides better shielding than yours. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Perhaps I am missing something, but it seems to me that ISPs could stop this stuff. For the MyDoom worm, as well as others, if the major ISPs blocked windows executable attachments, they would never get any traction. This new virus is just a piggy back on the original one, so it would never have happened either.
- Nick
Offtopic?! Hah! Put the source code on a website, please!
... This is the SECOND time I have seen an Australian news source report that SCO 'owns the UNIX operating system'... I first saw it on the age website.... Ridiculous! Don't the technology journalists know anything about what's going on with SCO at the moment? If they had said 'SCO, which owns their own unix-like proprietry operating system' it would have been fine.
Or at least cheap shot... (-:
Got time? Spend some of it coding or testing
Wake me when there will be some new Linux or DOS virus. The real one. Weighting about 700-1k bytes and with polymorphic and stealth abilities at least.
Funny is that todays antivirus programs are extremely similar to simple string-search programs, if not the same. Old ones, like drweb or avpro were able to analyze code and rate it to be safe of not. so it was also able to find ANY morphing or self-hiding codes, so didn't need updates to function well on new real viruses too. Update just gave it ability to correctly name it, or tell for sure about infection.
I am waiting for the cheerful moment when such a good piece of code will spred around for win3.11 new guis like winXP, NT or any of so called "win32".
Just a tip for new viruswriters - windows has a great thing that anything what it will decide as an "update" will be allowed to replace system files, and later anything else will not be allowed to change these files. So virus can get a good protection against ANY anivirus software. Only formatting will help for sure. However if we combine it with BIOS update (at first reboot after infection) and stealth thingys, like it detects when antivirus program or something is aggresively scanning memory and hiding in other parts of it (for example in data arrays of antivirus program itself). memory segment protection will not take place if virus has gained trusty access to flat memory like antivirus progs or windows sys trash have.
Hooray!
Cthulhu loves you.