Slashdot Mirror
New Worms Feed on MyDoom Infections
JJP writes "ZDNet Australia is reporting that two new worms, Doomjuice and Deadhat, are taking over computers previously infected by the MyDoom virus.
Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work. Whilst the threat these two worms pose shouldn't be too big, both needing a MyDoom backdoor, it is still a novel way to spread a virus. In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."
I wonder if those random IMs I got in AIM are related to MyDoom. I got a couple random messages about capturing Osama Bin Laden from people i have talked to in ages. Seems like some sort of virus. Anyone else have that happen?
http://github.com/gbook/nidb
Funny you suggest either buying a whole new machine, or using a whole different OS, when the MyDoom problem could just be solved by not opening attachments.
I'll just ask: is it possible for a binary file to open ports and send itself as an email attachment on a Mac? On a linux box? Are you sure you understand the problem?
It's nothing but crumpled porno and Ayn Rand.
MyDoom's backdoor has been demonstrated by DoomJuice and now the copycats are at it. There's now network of zombies willing to do the bidding of anybody who hacks in... remember, the MyDoom name is based on a typo, the author wanted to call it MyDomain.
I guess the only positive side effect is that some of these DoomJuice variants are closing the back door from the original MyDoom so that nobody else can interfere with them. Now, if only there was a MyDoom uninstaller worm that didn't have another distructive payload...
As soon as Macintosh takes over the market(if ever), viruses will target them instead.
They're not more secure, but why hit 1/3 of the world's computers when you can hit 1/2 of them with a windows bug.
When the first Mac worm hits, it will be huge, because their users aren't used to dealing with them.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
creator of the original MyDoom and was leaving a copy of the source of MyDoom on the hard disk. The thoughts were that: a) only the creator of the original would have the source to include as part of Doomjuice's payload and b) if "everyone" had a copy of the source on their hard disk, it would be difficult to prove that any one person was responsible for originally writing it (assuming their computer was found/confiscated/examined).
Not that I would condone the activity, but I'm surprised someone hasn't made an email virus that installs an OS on the machine. I would find this in incredible violation of ones choice, but I still won't be surprised when it happens.
meh
I wonder... what are the legalities behind having a worm go around, attack the backdoor created by MyDoom, and cause an alert box containing the infection info to pop-up on the user console? Or, change the person's wallpaper to a similar message so that they dont just blindly hit ok?
1. Go here: doshelp.com
2. Block applicable ports
3. Smile when alerts are issued
"Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work."
When a big worm comes out, wouldn't it be possible to write another worm that would utilize the backdoor, get rid of the worm, and then hang about to make reinfection impossible?
My organization took care of the worm in the first few minutes after it started spreading, but there seem to be a lot of people still out there who aren't protected (if the number of inbound mails my mail server quarantines each day is any indication).
If someone in a white hat wrote a MyDoom imobilizer worm, and then released it, wouldn't that put a speedy end to MyDoom in the wild?
I'm much funnier now that I'm a subscriber.
The anti-virus companies come up with the names, often making fun of the virus writers in the process. MyDoom was named for a variable misspelling: MyDoomain (suppose to be MyDomain).
DO NOT WRITE IN THIS SPACE
okwith my linux box and mac i can do whatever i want - including open attachments... i bought a computer so i could use it.
To be infected by MyDoom, you would have to open the attachment and run the binary.
if you mean, "can i fire up an mta and start spraying email all over creation"? then the answer is only if you have root. and if that virus has root... well, you've got bigger problems.
Eh, no. You don't have to be root to "spray email all over creation". Outgoing connections usually use unprivileged ports. And to accept incoming connection without root, you just need to listen to a port above 1024.
Je ne parle pas francais.
This could have happened to anyone I guess....
/resetfolders switch, and finally re-upload his calendar from the PST. After doing it it worked and they were happy.
Last week I get a call from another tech friend, "Hey toqer, I got this customer and they got infected with MyDoom. The NAV wasn't set to exclude the exchange store on the server, and it wiped out their calendaring info, the server needs all its logs rebuilt"
I asked him for more info. Logs rebuilt? WTF was he talking about? Apparently they had brought in an "Exchange Expert" to fix the problem. The guy spent about 2 days out there and didn't get anything done. After calling them I went out to see exactly what the problem was.
This office is a lawers office, and they're specialty is wills and trust funds. I was met by a really nice french woman at the door. "Toqer, please follow me and I will show you what the problem was"
She first showed me their main problem. Whenever they would try and modify the big bosses calendar, outlook would spit out some nonsense about unable to connect to his free/busy information. Second problem I noticed was the entire network was running on NT4.0, and the machines were all pentium1 class PC's. "Good thing this is hourly" I said to myself.
Looking at the NAV logs, it looked like it had deleted some files from d:\exchngsrv\mtadata (not exactly, this is best recolection) First thing I did was set NAV to exclude those folders. Good, done.. Now it was time to fix the problem itself.
Now I don't have the exact KB article, but the MS solution was to log in as the affected user. Backup his exchange store to personal folders. Use the exchng32 client to delete the calendar folder, then launch outlook with a
It took me 4 hours to fix it, nice little chunk o change in my pocket. Thanks MyDoom!
Whereas the new Welchia/Nachi worm cleans the MyDoom viruses, sets the hosts file back to just 127.0.0.1 localhost, installs a few Microsoft patches, reboots and scans for other MyDoom, MSBlast and Welchia infected machines to clean. It also sets up a web server on the machine serving a webpage with a cryptic message about various Japanese and Korean massacres. It then disables itself on June 1, 2004, or after running 180 days, whichever comes first.
I don't normally like any Windows virus, but I have a tough time not liking this one.
But why is the rum gone?
Maybe not a big threat in the sense that most of us reading this have been taking precautions against viruses like MyDoom all along (or were on Macs or Linux), but there's still a pretty big secondary threat to all of us who use the internet. I'm still seeing a lot of MyDoom-infected computers out there: a quick look at my mail server shows examples -- sometime multiple examples -- of MyDoom sent from dsl hosts in cerfnet.com, telus.net, sprintbbd.net, and ameritech.net just within the last hour). When Doomjuice and Deadhat get on these machines and start sucking up neighboring bandwidth with their DoS or whatever, it's a problem -- even if it's not actually your machine that's infected.
My point is that the Windows' inherent insecurity is not the cause of MyDooom and, more specifically, the latest worms mentioned in the submission.
Yes, the question was rhetorical, and the point is an app can start accepting connections on a given port (which is how the latest worms are spreading) no matter what your OS. It's possible to firewall everything and require admin access to open ports on Linux and OSX, but hey, it's possible on Windows too. Bad sysadmins and clueless users are a problem on every platform.
It's nothing but crumpled porno and Ayn Rand.
Well, that's true to a degree. I have several Windoze boxes (on VMWare virtual machines) that I'm responsible for. However, I've noticed that if I do a fresh install with the Win2K disk on a new VM the damn thing gets the Blaster worm (or even Code Red or Nimda) before I can even install the latest service pack. Yeah, I know I should disconnect it from the net until I get the SP installed, but that's a pain in the ass too because that means I have to keep a CD around with all the SPs. As I understand it, all service ports on a Mac are off by default. If Windows came this way, I wouldn't have to worry about this. Also, it's not a problem when installing Linux because I can choose to leave the services off before I ever boot it for the first time.
These follow on worms seem like crude attempts to implement Curious Yellow.
http://blanu.net/curious_yellow.html
I'm really surprised that we haven't seen various implementations taking over large numbers of computers.
My only thought has been that the kind of person who implements Curious Yellow is sufficiently more skilled than the average worm writer that they choose to be subtle and slow. If that is the case, then I expect that the 75,000 is a very small number of machines compared to those that are already running a variant of Curious Yellow.
Just some rambling thoughts.
IF everyone would have updated their systems with the patch in july 2003 (beofre the MyDoom virus and its variants came out), no one whould have ever gotten any of them. And the news media would have nothing to talk baout.
- Food is computing power, which it steals.
- Prey are vulnerable computers, with computing power unprotected.
- Predators are virus scanning and eradication software.
- Reproduction is checked only by environmental factors.
- Evolution has developed two clear attributes: transport and payload.
It will be very interesting to watch this area develop, especially considering it's place in society. It's incredible that not only have software companies been given virtual total immunity from the financial impact of their defective products, but that they have convinced the right parties that people who expose their defects are criminals. Truly incredible.So this is similar to the real life virus Hepatitis D, which is slightly damaged and can't infect a host cell unless actively infected with hepatitis B. It has interesting implications for biology that one can look at the spread of dependent pathogens using computer models, by looking at the spread of these piggyback worms.
I pretty much agree, at this point, I stop all executables, and .zip files at my mail server.. kind of a pain, but between that, and the 25 RBLs I have setup, I only get about 10-15 unwanted emails a day... *sigh* ... I won't run windows in front of a firewall now, even if psuedo-secure (only known port s available) .. too much of a pain.
.Net.. and as mono matures, am more, and more considering the switch... I haven't liked MS's political stances for several years now, and linux is finally "getting there" enough for a serious look... I can run my favorite text editor under wine, and use firefox (formerly firebird) as my primary browser, and thunderbird for email.. only my work keeps me tied to windows.
Personally, I like IIS as a webserver, and happen to like
Seriously think in about a year or so, will be able to switch with little drawback, and may even just run windows via vmware inder linux... the last try at it with suse and ximian desktop a few months ago wasn't so bad.. a few kinks.. but worked... may make another go, in a few more months. (Already use windows versions of a lot of OSS software as it is now anyhow).
Michael J. Ryan - tracker1.info