Slashdot Mirror
MyDoom.C Making Its Way Across The Net
Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
3127 is apparently the backdoor created by the other mydoom viruses. As another poster mentioned, its a giant botnet, now at someone's disposal.
This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines
It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.
This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.
It should be safe to block. I did a 'grep 312 /etc/services' and came back with only one hit, 3128 for Squid proxy. That should be blocked at your firewall as well, as having it available to external users can open your mail server to become a spam server if you have them both on the same network. So you could probably block the range 3120-9 with out any negative impact.
-Rusty
You never know...
Ideally a firewall is in a default deny state. That way you can open it up for things you know you need rather than missing something and having a hole into your LAN. If you followed that advice then you wouldn't need to worry about closing the port.
Trolling is a art,
MSN Messenger is down for me as well. I'm just glad to see that the Messenger Network Status page is up to the task of telling us if things are up or down (not!).
-JackAsh
Microsoft is dying.
I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.
Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.
Doomjuice distributes source code for MyDoom.A
Making this one of the first high-profile open-source viruses?
<zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>
grep 3127 /etc/services
What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.
The writeup from Symantec is here.
-R
He isnt 110% right on that point, because Ive set this up for serveral organizations.
Now, as I said, this may have changed with the newer versions: I cant say, because I havent used them. But with the 4.x versions, you can either manually enter the alternate FTP server, or just edit the registry settings via logon script (which is what I did). The only thing I *couldnt* do via registry changes was, strangely enough, enabling the ability to check for updates on a schedule. I could get tell it where, when, and how to get the updates, just not to actually do it. This also wasnt in any config file either; I have no idea how it saved that info.
Manipulate the moderator system! Mod someone as "overrated" today.