Slashdot Mirror

← Back to Stories (view on slashdot.org)

MyDoom.C Making Its Way Across The Net

Posted by timothy on from the funny-it-isn't-affecting-me dept.

Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.

7 of 519 comments (clear)

  1. Re:Part of the story? by centralizati0n · · Score: 5, Informative

    3127 is apparently the backdoor created by the other mydoom viruses. As another poster mentioned, its a giant botnet, now at someone's disposal.

  2. no backdoor by stev_mccrev · · Score: 5, Informative

    This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines

    It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.

    This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.

  3. Re:Any legit use for 3127? by rusty0101 · · Score: 4, Informative

    It should be safe to block. I did a 'grep 312 /etc/services' and came back with only one hit, 3128 for Squid proxy. That should be blocked at your firewall as well, as having it available to external users can open your mail server to become a spam server if you have them both on the same network. So you could probably block the range 3120-9 with out any negative impact.

    -Rusty

    --
    You never know...
  4. Re:Any legit use for 3127? by grub · · Score: 5, Informative


    Ideally a firewall is in a default deny state. That way you can open it up for things you know you need rather than missing something and having a hole into your LAN. If you followed that advice then you wouldn't need to worry about closing the port.

    --
    Trolling is a art,
  5. Netcraft confirms it... by hkfczrqj · · Score: 5, Informative

    Microsoft is dying.

  6. Nimda by tepples · · Score: 5, Informative

    I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.

    Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.

  7. Port 3127 by retro128 · · Score: 4, Informative

    What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.

    The writeup from Symantec is here.

    --
    -R