Slashdot Mirror

← Back to Stories (view on slashdot.org)

MyDoom.C Making Its Way Across The Net

Posted by timothy on from the funny-it-isn't-affecting-me dept.

Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.

24 of 519 comments (clear)

  1. Re:Dumbass alert by bcore · · Score: 2, Informative

    Anyone infected by email virii should have their internet access revoked for being too damn stupid. Stop opening every fucking attachment you get, morons!

    Did you happen to notice the part where it said This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127?

  2. Re:Part of the story? by centralizati0n · · Score: 5, Informative

    3127 is apparently the backdoor created by the other mydoom viruses. As another poster mentioned, its a giant botnet, now at someone's disposal.

  3. no backdoor by stev_mccrev · · Score: 5, Informative

    This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines

    It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.

    This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.

  4. Re:Any legit use for 3127? by rusty0101 · · Score: 4, Informative

    It should be safe to block. I did a 'grep 312 /etc/services' and came back with only one hit, 3128 for Squid proxy. That should be blocked at your firewall as well, as having it available to external users can open your mail server to become a spam server if you have them both on the same network. So you could probably block the range 3120-9 with out any negative impact.

    -Rusty

    --
    You never know...
  5. Re:Part of the story? by mattjb0010 · · Score: 2, Informative

    Orange:~/PhD> cat /etc/services | grep 3127
    ctx-bridge 3127/udp # CTX Bridge Port
    ctx-bridge 3127/tcp # CTX Bridge Port

  6. Re:Any legit use for 3127? by grub · · Score: 5, Informative


    Ideally a firewall is in a default deny state. That way you can open it up for things you know you need rather than missing something and having a hole into your LAN. If you followed that advice then you wouldn't need to worry about closing the port.

    --
    Trolling is a art,
  7. Re:MSN messenger? by JackAsh · · Score: 3, Informative

    MSN Messenger is down for me as well. I'm just glad to see that the Messenger Network Status page is up to the task of telling us if things are up or down (not!).

    -JackAsh

  8. Netcraft confirms it... by hkfczrqj · · Score: 5, Informative

    Microsoft is dying.

  9. Re:When will someone use this to their advantage? by Anonymous Coward · · Score: 1, Informative

    Whoa there baby... lest you forget what happened with Blaster last year? Someone wrote Welchia - which had a _very very very agressive_ ICMP scanning technique which brought many networks to its knees.

    The univerisity I work at still has ICMP disabled because of Welchia.

  10. Nimda by tepples · · Score: 5, Informative

    I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.

    Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.

  11. It's an open source virus! by tepples · · Score: 3, Informative

    Doomjuice distributes source code for MyDoom.A

    Making this one of the first high-profile open-source viruses?

    <zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>

  12. Re:MSN messenger? by Anonymous Coward · · Score: 1, Informative

    Possibly - cant say for sure, but if the actually MSN messanger works anything like the IM features of exchange 2k it does rely on an IIS webserver for most of it's functionality, if their webservers are the the same as used for MSN this could cause it.

    Also, Netcraft is reporting that they are dropping requests without a user agent, and from logs on my windoze servers it appears the exchange version does not report one.

  13. Re:Part of the story? by PacoTaco · · Score: 3, Informative
    Some PhD! You know, you can just do:

    grep 3127 /etc/services

  14. This just in... by flamingweasel · · Score: 2, Informative
    AV Software is a market created by the people who write the software. It provides only false security. I have never used antivirus software. Ever. Know how many viruses I've received in the last ten years? None. Here's my patent-pending method to keeping those evil hackers from putting their viruses on my computer.
    1. Keep your computer patched
    2. Don't be retarded
    3. There is no step three.
    --
    Cthulhu loves you.
    1. Re:This just in... by Cynikal · · Score: 2, Informative

      um how did this get a +5? does anyone see the self defeating retardedness of the statement? "I have never used antivirus software. Ever. Know how many viruses I've received in the last ten years? None."...

      just question.. how can you confirm that you have never recieved a virus if you never run an antivirus? so either you

      a) dont have a computer (then all statements = true) or
      b) you have your head up your ass (can i email you at your @micosoft.com work address?)

      i have like a million analogies for this to put it in better perspective, but if you dont get my point by now, i dont *want* you to read/comment on my posts.

      oh and if you think patches will protect you from all the virii out there, then buddy, you just broke rule #2... and here's a paper clip for that gaping wound.

  15. Re:He won't get caught dude by Anonymous Coward · · Score: 1, Informative

    They were attacking SCO?
    Hmm, only 25% of infected machines attacked SCO, the rest kept spreading the virus.
    The attack on SCO was a cover. YHBT by a virus.

    Take a look on Groklaw for a little info.

  16. Port 3127 by retro128 · · Score: 4, Informative

    What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.

    The writeup from Symantec is here.

    --
    -R
  17. Re:Is it just getting started? by t0ny · · Score: 3, Informative
    Ya, and so was I. You can use an FTP server as your distribution point. You dont HAVE to point it at McAfee's FTP server.

    He isnt 110% right on that point, because Ive set this up for serveral organizations.

    Now, as I said, this may have changed with the newer versions: I cant say, because I havent used them. But with the 4.x versions, you can either manually enter the alternate FTP server, or just edit the registry settings via logon script (which is what I did). The only thing I *couldnt* do via registry changes was, strangely enough, enabling the ability to check for updates on a schedule. I could get tell it where, when, and how to get the updates, just not to actually do it. This also wasnt in any config file either; I have no idea how it saved that info.

    --

    Manipulate the moderator system! Mod someone as "overrated" today.

  18. Re:Head Explodes MS Security report by Gartner by myg · · Score: 2, Informative
    E-mail should not carry files. Simple as that. If e-mail programs made getting an attachment out cumbersome and require a command line; this wouldn't have happened.

    People just need to understand that e-mail is not a file transfer mechanism. If they want they can put a URL in the e-mail pointing to their file but then you have some kind of accountability at least (and web browsers should not download executable files without a fuss too).

    There is almost no reason why anybody would need to send anybody else executable code. And for the one rare instance where I have had to send an executable to a windows user (a demo of my software) I found it dfficult as it is the user had to be instructed how to save and then execute it.

  19. Re:mydoom source by Anonymous Coward · · Score: 1, Informative
    So you're trying to tell me that .sh, .pl and .py scripts *aren't* associated with anything on your KDE desktop? Last time I used KDE - they were.
    1 Attachment, (20k) "merry_xmas.jpeg
    (lots of spaces)
    .py"
    Click on that in Linux and it could fuck you any which way it wanted to - no matter what system you were running. An instant cross-platform virus that's more likely to work on Linux than Windows (because Python is more likely to be installed).

    The script could even contain an embedded image that it decompresses and starts with the web browser - so the user doesn't notice anything went wrong.

    Repeat with Perl or csh scripts as necessary until Linux users get the message that Linux is not an event of the same order of magnitude as the 2nd coming of Christ. I mean, what moron decided plain text files were going to be executable simply by having a "#!env perl" in the first line? You don't even need the file extension with Unix.
  20. Re:MyDoom by kiwioddBall · · Score: 2, Informative

    I read somewhere that MyDoom was named because the virus when viewed in an ASCII viewer contains an amount of freetext that was meant to say 'mydomain' but instead it was mis-spelt in the virus to say 'mydoomain' - hence MyDoom.

  21. work-around ... by Anonymous Coward · · Score: 1, Informative

    i installed Kerio personal firewall
    on all my compis.

    then i did a portscan on to all
    the maschines ("cbps.exe" from www.bluebitter.de)

    the firewall will pop-up and alert that
    there's a incoming cnnection.
    i told the firewall to create a rule and
    block the port(s) (incoming and outgoing)
    permanentally.

    also don't not surf as ROOT/ADMIN.
    if you catch the worm as a normal user
    your account won't have enough privileges
    to write to "%SYSTEMROOT"

    i'm not infected. works for me.

    all this worm business really shows
    how many people have NO CLUE about
    computers. i just hope marketing isn't going
    to base their next product on the likes
    of these people, or we'll have a one button
    computer in a few years time (but then again
    prolly the guy infected is a guy working
    in marketing *yawn*)

  22. Re:backscatter by hacker · · Score: 2, Informative
    :0 B
    * ^*Content-Disposition: attachment;
    * filename=".*\.(pif|scr|bat|cmd|com)"
    /var/spool/m ail/SPAM
    :0 B
    * ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
    /var/spool/m ail/virus
  23. Re:mydoom source by archen · · Score: 2, Informative

    And you're still safe from people doing that if you mount /home with noexec.