Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Worms Feed on MyDoom Infections

Posted by ryuzaki0 on from the sucks-to-run-windows dept.

JJP writes "ZDNet Australia is reporting that two new worms, Doomjuice and Deadhat, are taking over computers previously infected by the MyDoom virus. Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work. Whilst the threat these two worms pose shouldn't be too big, both needing a MyDoom backdoor, it is still a novel way to spread a virus. In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."

15 of 243 comments (clear)

  1. Re:AIM by ParadoxicalPostulate · · Score: 4, Informative


    Funny I was just looking that up for a friend.

    This is not MyDoom.

    This link may help.

    Check that out, may help.

  2. Re:AIM by phillymjs · · Score: 3, Informative

    No, that's different scumware.

    ~Philly

  3. for the non-dutch by sosume · · Score: 5, Informative

    or those who cannot get past the registration links:

    Amsterdam - There are signs that the computer virus MyDoom has been brought into circulation by organised crime syndicates. The wormvirus was accompanied yesterday by the evil program 'DeadHat'. Microsoft and software maker SCO have a quarter *billion* dollar in stock to reward the tip that will lead them to its creators.

    According to the British research firm mi2g, deadhat is designed to provide its creator with sustaining, long-term control over a system. This power could be abused to hostage websites.

    It is also possible to abuse the pc in sending spam e-mail, and the program is capable of harvesting passwords and other confidential information. Deadhat is an intelligent software agent, a program .....

    [snip] the really boring part

    According to mi2g, deadhat has encrypted intelligence, waiting to be activated. "This definitely looks like the work of organized crime"

    Meanwhile, Soomjuice has come to surface. Another worm which seems to battle for control of the PC.

  4. Re:Cyber war? Puleeeze by saskboy · · Score: 4, Informative

    But nothing is new with MyDoom. Maybe the intent, but there are still dozens of active viruses out there with back door capabilities that could be exploited by crime, or by spammers [which are criminals I suppose].

    Why commit computer crimes from your own machines, when you can do it from another person's, and in fact connect to a 2nd or 3rd infected machine from the first infected machine to add another layer of dificulty to any investigation?

    The ability to harvest contact information exists in a simple forwarded joke email. This is not advanced "war" stuff. If it was advanced, people wouldn't have noticed.

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  5. Re:Virus names by eidechse · · Score: 2, Informative

    The names are determined by virus researchers, not the virus writers. In fact, if during analysis it's apparent that the writer wanted a certain name used that name is intentionally avoided.

  6. Cleverer Social Engineering by GillBates0 · · Score: 5, Informative
    According to the Symantec Security Response page on the DeadHat (parody of RedHat?) worm spreads through Soulseek disguised as one of the following:

    * Windows2003Keygen.exe
    * mIRC.v6.12.Keygen.exe
    * Norton.All.Products.KeyMkr.exe
    * F-Secure.Antivirus.Keymkr.exe
    * FlashFXP.v2.1.FINAL.Crack.exe
    * SecureCRTPatch.exe
    * TweakXPProKeyGenerator.exe
    * FRUITYLOOPS.SPYWIRE.FIX.EXE
    * ALL.SERIALS.COLLECTION.2003-2004.EXE
    * WinRescue.XP.v1.08.14.exe
    * GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
    * BlindWrite.Suite.v4.5.2.Serial.Generator.exe
    * Serv-U.allversions.keymaker.exe
    * WinZip.exe
    * WinRar.exe
    * WinAmp5.Crack.exe

    This is also a Social Engineering technique similar to the catchy email sent by other recent worms.

    The difference I see is that the filenames are catchier and seem to be targetted towards a more computer savvy audience. Normal Windows users wouldn't need to look for WinRar.exe and the other security software cracks/etc...but then, they're the ones who opened the MyDoom attachments in the first place.

    Get the dumb users with vulnerable PCs through email attachments, and break the more secure computers/users through enticing downloads!

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
    1. Re:Cleverer Social Engineering by triclipse · · Score: 2, Informative

      Actually, there are more like 10 - 100 trillion cells in the human body :)

      --
      No Inflation Taxation without Representation
  7. Re:Get a Mac by Moridineas · · Score: 4, Informative

    Don't mean to be pedantic--but you wouldn't say "get a boxen" because boxen is plural.

    etymologically it's an old way (well, old in English) of pluralizing that we only see in a few words...child children, brother brethren is similiar too. Interestingly enough, Persian being an Indo-European language has it too--Taleban (-an) is students (pl).

  8. Re:DoomNet... by Weird+O'Puns · · Score: 2, Informative

    Actually, according to many sources Deadhat/Vesser came before DoomJuice. So technically DoomJuice is the copycat. There's also a new variant of Welchia that makes use of MyDoom backdoor and then tries to remove it.

  9. Re:Get a Mac by Kenja · · Score: 2, Informative

    MyDOom has its own SMTP server built into it. All it needs is access to outgoing ports. Thats it, nothing more. You would not need root access for it to work. You would just need to be dumb enough to download the attachment and run it. Just like people are doing on Windows.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  10. Re:DoomNet... by That's+Unpossible! · · Score: 2, Informative

    remember, the MyDoom name is based on a typo, the author wanted to call it MyDomain

    Almost right. MyDomain was apparantly a variable in the code (uhh, then I am guessing VB code?) and he spelled it MyDoomain.

    --
    Ironically, the word ironically is often used incorrectly.
  11. Re:Get a Mac by dgatwood · · Score: 5, Informative
    On Mac OS X, installing a startup item requires you to manually type in your administrator password. Viruses could only become a permanent part of your system if they could convincing people that there was a reason to allow them to install things. Otherwise, such a virus could only run until you rebooted your computer or logged out, making it much less effective.

    A virus would not be able to automatically start just by reading a message, as Mail doesn't allow that to happen. More significantly, it could not masquerade as another type of file, since clicking on it would pop up a dialog that says something like "Warning: the attachment 'foo.jpg.app' is an application. Since applications can contain viruses, make sure this was sent by someone you trust." or some such.

    In short, even if the Mac platform were the primary computing platform on the planet, it would not have these problems at the same level, IMNSHO.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  12. Re:Get a Mac by Anonymous Coward · · Score: 2, Informative

    People aren't downloading and running an executable. They are double-clicking on an attachment or whatever. Then, since windows is all about being integrated and since most user run as "root" in Windows, it's allowed to get set up as a daemon and install itself to be loaded whenever a machine boots. In my opinion, it's the general design of the Windows operating system that is at fault. Loading an attachment (zip file was the big one at my place of work) shouldn't install a damn virus.

  13. Re:DoomNet... by httptech · · Score: 2, Informative
    Vesser was discovered before Doomjuice, but if you look at the PE timestamp header, you see that Deadhat/Vesser was compiled on Tue Feb 4 06:23:59 2003, while Doomjuice was compiled on Tue Jan 27 06:22:58 2004. While the PE timestamp field can be easily edited, these dates are probably accurate in my opinion. So, Doomjuice can't be considered a copycat of Vesser.

    My writeup of Doomjuice: http://www.lurhq.com/mydoom-c.html

  14. Re:DoomNet... by httptech · · Score: 3, Informative

    In the past two days, my honeypot listening on port 3127 has captured 56 copies of Doomjuice.A, 10 copies of Doomjuice.B and 1 copy of Mitglieder. It's really not a lot if you think about how big the Mydoom.A outbreak appeared to be. Here's an extra credit math problem - take those numbers and the time it takes to scan a subnet and get a rough estimate of infected machines. Each Doomjuice-infected system starts 64 threads, each one picks a class C at random and attempts to connect to hosts 1-254 in sequence (the 127.x.x.x class A subnet is the only one skipped)