Slashdot Mirror
MyDoom.C Making Its Way Across The Net
Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
The original MyDoom proved that no matter how much we warn users not to run surprise executable attachments, they do any way. And also proved how many users aren't running any anti-virus at all.
Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio. Those machines by definition do not have an anti-virus program that's been updated recently enough to capture the original MyDoom virus, so DoomJuice will be able to walk in through the backdoor at port 3127 with nobody gaurding that door.
The author of MyDoom has basically created a network of zombies that he/she/it has full control of without the knowledge of any of the infected users. And now, this author has demonstrated the ability to send a patch-virus out with new updated instructions.
Right now, this patch seems to not have much of a payload. But, we don't know if we've seen its full payload yet, and there's certainly the possible of DoomJuice2 coming out with a worse payload.
To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.
Apart from the fact that it uses the backdoor created by MyDoom to spread, it doesnt have enough in common with MyDoom to be a variant of it, which is probably why on the CNET link it only mentions the name Doomjuice.
The MyDoom.C name used in links such as the ABC one is probably for good headlines
You should block all incoming ports you dont need. Only open ones for services you deliberately run, like a game server or ftp or whatever..
At home I have only ssh exposed to the world, and on a nonstandard port at that. From there I can ppp over ssh and do whatever I want. Fine for a home network at least.
Outgoing ports I only monitor logs from now and then, to make sure a virus/trojan didnt find its way on to my wifes, or one of the kids boxes.
I don't need no instructions to know how to rock!!!!
This sounds just like the firewall admin who said We never have been hacked or even been tried to be hacked. This guy will almost absolutely surely have missed some attacks and does not watch his logfiles.
How can you say that you never had a virus when you never used an AV-scanner? Some viruses may not be noticable when on your system.
[--- PGP key and more on http://www.root42.de ---]
You don't even need the file extension with Unix.
No, but you do need to have run chmod u+x on the file... By default files aren't executable. Scripts (executable text files) are run by the interpreter which is specified on the first line of the script. Binary files have a magic number, which is used to determine the appropriate way to load and run them.