MyDoom.C Making Its Way Across The Net

Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.

MyDoom

[Paleomacus]

What a stupid name for a virus. The writer must be planning to get caught.

Re:MyDoom

[Paleomacus]

Really? Kinda like hurricanes and tropical storms then eh? That's kind of a funky analogy.

Re:MyDoom

[funwithstuff]

MyDoom got its name from a typo. The BBC says:

The Mydoom virus gets its name from a spelling mistake in the code inside the virus. Instead of writing "my domain" the creator wrote "my doomain".

But yeah, the anti-virus companies named it.

Is it just getting started?

[LostCluster]

The original MyDoom proved that no matter how much we warn users not to run surprise executable attachments, they do any way. And also proved how many users aren't running any anti-virus at all.

Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio. Those machines by definition do not have an anti-virus program that's been updated recently enough to capture the original MyDoom virus, so DoomJuice will be able to walk in through the backdoor at port 3127 with nobody gaurding that door.

The author of MyDoom has basically created a network of zombies that he/she/it has full control of without the knowledge of any of the infected users. And now, this author has demonstrated the ability to send a patch-virus out with new updated instructions.

Right now, this patch seems to not have much of a payload. But, we don't know if we've seen its full payload yet, and there's certainly the possible of DoomJuice2 coming out with a worse payload.

To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.

Re:Is it just getting started?

[SuperBanana]

And also proved how many users aren't running any anti-virus at all.

Actually, we have the antivirus companies mostly to blame for this one; they discovered it wasn't enough to sell people the software(and that coming up with new features to get upgrades was difficult), but they had to lock them into updates too; pure corporate greed. Instead, people either don't realize they're no longer getting updates, or they think the older definitions will work just fine. I tell people either to update their subscription, or to use a mailer other than Outlook if possible and run any of the various free virus scanning tools(McAfee and Trend for example both have free web-based scanners) on a regular basis or whenever the system starts doing weird stuff.

Lastly- some vendors dragged their feet. McAfee took almost 2-3 days to release "regular" definitions which could either be downloaded to your proxy server and then deployed to all your clients...or downloaded by clients automatically. Until they did it, you had to download special "extra" definition files, put them in certain folders, etc. Ie, impossible for the end-user, and a pain in the ass for small businesses without the tools to deploy stuff like that easily automatically.

Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio.

Except for all the systems behind firewalls that got infected because they got the virus via email...

Right now, this patch seems to not have much of a payload.

Who said anything about it being a patch? Ok, so maybe it is- but "not much of a payload" doesn't mean much, since a compressed diff can be very small...

By the way- off-topic rant, McAfee's corporate software sucks. You can run a mirror of their definitions, but you need Windows Server to do it(2k or 2003). You can deploy sitewide policies, but you need to build it into the installer and any further changes require an overblown management system that needs Windows Server AND MS SQL Server. it gets better- unlike NAV and others, you can't do email scanning on anything except Outlook(NAV has supported POP/IMAP scanning via proxy for years). And the best part? If you get a virus alert from the on-access scan, the user can't click any of the action buttons, because get this- and I swear, this was straight from the mouth of a McAfee rep- "they'll always click ignore to make it go away". "So why did you also disable the delete and quarantine buttons as well?!?" NAV and others let you restrict what option set the user gets(so they can delete, but not ignore...or do whatever). Last but not least, their support is mostly based out of india.

MSN messenger?

[Quixotic]

Does anyone know if it is slamming the msn messenger service as well? I havn't been able to connect to it recently, and it seems to be a network wide outage, since other people are having problems as well....

Not really MyDoom.C

[jakoz]

Apart from the fact that it uses the backdoor created by MyDoom to spread, it doesnt have enough in common with MyDoom to be a variant of it, which is probably why on the CNET link it only mentions the name Doomjuice.

The MyDoom.C name used in links such as the ABC one is probably for good headlines

Re:Part of the story?

[centralizati0n]

3127 is apparently the backdoor created by the other mydoom viruses. As another poster mentioned, its a giant botnet, now at someone's disposal.

Seems to be doing some damage already.

[IllogicalStudent]

MyDoom.C's effects seem to already be felt. My girlfriend's been complaining that she can't get onto MSN all night, and sure enough messenger.msn.com is completely unresponsive, as was Hotmail a few hours ago (though, it seems to be up now). I wish I could just convince her to use Jabber.

No shutoff date?

[ArsonPanda]

I never understood why viruses/worms/whatever bother to include shutoff dates. "hum, I really hate SCO, so I'm going to DDoS them, but only for a few days" Why?

Re:No shutoff date?

[VertigoAce]

I've seen speculation that some authors do it so their previous work won't clobber whatever their new project is. It might also be useful to get around certain automated anti-virus tactics. On a university network it isn't uncommon to disconnect a computer that seems to be infected with a particular virus (ie all addresses resolve to a page telling you that your computer is infected and pointing you in the right direction). So after a few days all of the infected computers suddenly act like normal ones, ready to be infected with the next variant.

no backdoor

[stev_mccrev]

This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines

It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.

This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.

Any legit use for 3127?

[LostCluster]

Are there any real applications that use port 3127, or can we safely block that port at our firewalls?

Re:Any legit use for 3127?

[nmoog]

Yeah, port 3127 is used for DoS attacks on Microsoft. Its best to leave it open.

Re:Any legit use for 3127?

[grub]

Ideally a firewall is in a default deny state. That way you can open it up for things you know you need rather than missing something and having a hole into your LAN. If you followed that advice then you wouldn't need to worry about closing the port.

Re:Any legit use for 3127?

[stratjakt]

You should block all incoming ports you dont need. Only open ones for services you deliberately run, like a game server or ftp or whatever..

At home I have only ssh exposed to the world, and on a nonstandard port at that. From there I can ppp over ssh and do whatever I want. Fine for a home network at least.

Outgoing ports I only monitor logs from now and then, to make sure a virus/trojan didnt find its way on to my wifes, or one of the kids boxes.

Re:Any legit use for 3127?

[lakeland]

to make sure a virus/trojan didnt find its way on to my wifes

Learn how to use the apostrophe key. Else you might get misunderstood.

Re:mydoom source

[Comatose51]

The day when someone can pass the source code for a virus around and tell people how to compile and then run it in the email is the day I lose faith in humanity, which given what has transpired already isn't too far off. :-)

Target American Idol !!!

[simetra]

This is the perfect opportunity for someone to fix American Idol, by getting all those zombie computers to dial and vote for their favorite singers!

Re:Target American Idol !!!

[Lars+T.]

You make it sound like a bad thing - it can't get much worse. Instead of corporations, the best hackers would decide who runs America.

Parasitic Viruses attacking My-Doom Infected Boxen

[billstewart]

Unlike MyDoom, which is exploiting Microsoft weaknesses, the interesting thing about Doomjuice and Deadhat (aka Vesser) is that they're scanning for the back doors left by MyDoom.A and MyDoom.B and using them to take over. The good news is that they're only attacking infected machines (and in a way that's easy to block), but the bad news is that parasites like these can add nasty payloads to viruses that were fast but not particularly nasty themselves. (That doesn't mean that these parasites have done that, but they can.) According to the article on F-Secure, Vesser / Deadhat turns off many kinds of anti-virus and firewall software, leaving the machine more vulnerable, and adding a backdoor of its own (but protecting it with crypto, which is the proper thing for an evil virus to do :-)

MyQuake

[Neo-Rio-101]

After MyDoom.c we can probably expect MyQuake.a, as well as a sequel MyQuake.b... and maybe even MyReturnToCastleWolfenstein.a Unfortunately MyDoom.3d will only run on the latest graphics cards and DirectX9 hardware... and will spend years in development. Andy better not be working at id

Re:MyQuake

[b0r0din]

MyDoom.Forever!

Netcraft confirms it...

[hkfczrqj]

Microsoft is dying.

Re:Somebody please...

[Qzukk]

Err Huh?

The only way to find the computers with open ports is to scan them. And this is what is the big problem with the counterworms. They infect a host and go on the offensive, spewing as much traffic as the original infected host did, making us scratch our heads and wonder why.

I wish people would take the high road and let the losers who can't admin their way out of a paper bag wallow around in their own ignorance, but if you feel like you must absolutely write a counterworm, please, please, PLEASE make it only counterattack against boxes that are connecting to the host!

For example, instead of scanning for machines, simply lie in wait on a computer, and when something connects to you on 3127, then attack and clean that computer, and only that computer.

Nimda

[tepples]

I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.

Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.

Re:Nimda

[nuckfuts]

He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway.

Maybe that's because the name Concept Virus was already taken.

The original Concept Virus was a significant milestone - the first virus written to infect MS-Word documents (using Word's own macro language - thanks Microsoft, we really need all that capability in a word processor). It was the start of an era where macro viruses became the most prevalent method of virus transmission on the planet, surpassing boot sector viruses (remember floppy diskettes?) and other formerly common methods.

Macs are feeling it, too

[Undefined+Parameter]

I own two Macs, so don't take this as a troll, please.

Right now, Macs are feeling the effects of this virus, too; it's slowing down internet connections for ALL platforms thanks to the fact that it's indiscriminately flooding networks with "noise" in trying to find other machines with the MyDoom-opened port. To my knowledge, it doesn't stop searching, either.

And a "counter-virus" would only make things worse. Sure, you eventually stop the original worm(s), but you also do more damage and risk opening up a can of worms in doing so. Not only is YOUR "counter-virus" going to add to the network congestion, but it may well become a problem itself if it's not written just right. In other words, the cure might be worse than the disease.

For the short term, we need an education campaign. Teach the standard (and sub-standard) users of the world how to identify a virus, how to prevent getting infected, and why they should care. As the old saying goes, "you can give a man a fish, and feed him for a day, or you can teach a man to fish and feed him for a lifetime."

~UP

eternal return

[veg_all]

I was fascinated by the zombifying worms, spreading across the internet making unsuspecting hosts into proxy spam servers, but now I'm beginning to wonder if worm harvesters will have to be written and (by mutual agreement) released onto the net. I still get code red droping by all the time (it can have my default.ida, for all I care; I'm through with it), and new kiddies write them at such an increasing pace that one New York Times article about worms recently needed two slashdot articles by the time it was posted. Might they start (at some point in the future) to actually start to "clog" the internet? Hell, they already do; the network where I work was brought to a crawl more than once over the last year because of them (and the idiots who administer the network, but that's another rant). Anyway, when worms constitute more than 50% of the traffic more than 50% of the time, some regulatory body is going to propose spidering worm-eaters. It'll be like "core wars" all over again (everything comes full circle sooner or later).

Wonderful

[ngyahloon]

A Microsoft spokesman said Monday that any performance problems on the company's site are likely related to countermeasures the company took to evade the MyDoom.B DDoS attack and not an attack from machines infected with the latest variant."

So in other words, to prevent MyDoom from DDoSing Microsoft's website, Microsoft decides to DDoS themselves instead. What a wonderful world!

crap

[MisterFancypants]

First Half Life 2, now the C source of Doom 3 is out in the wild... Damn, now we'll never see these games.

MyDaikatana

[t0ny]

I heard Romero has been working on the MyDaikatana.a worm for the past five years. Unfortunately, he released it into the wild and nobody noticed; it apparently couldnt spread.

Re:What about a CodeBlue variant?

[mrtroy]

You know when you feel like you have something really clever to say and want to say it really bad cuz you think its so amazing?

Here it is!

Why dont I create a machine that will fix your car for you too, and mow your lawn, and take out your trash and solve that pesky virginity problem of yours?

Because thats why WOMEN were invented! They solve all of the worlds problems! Go away from your computer, and find a woman who will download the new anti-virus definitions for you and solve the rest of your problems!

Now to all the women out there: YES, I am avaliable, please send me your resume containing important skillsets outlined above.

(but seriously, I am going to die alone)

Re:This just in...

[root_42]

This sounds just like the firewall admin who said We never have been hacked or even been tried to be hacked. This guy will almost absolutely surely have missed some attacks and does not watch his logfiles.

How can you say that you never had a virus when you never used an AV-scanner? Some viruses may not be noticable when on your system.

Re:mydoom source

You don't even need the file extension with Unix.

No, but you do need to have run chmod u+x on the file... By default files aren't executable. Scripts (executable text files) are run by the interpreter which is specified on the first line of the script. Binary files have a magic number, which is used to determine the appropriate way to load and run them.