Last Updated: 2005-02-18 17:15:19 UTC
by Mike Poor (Version: 1)
New MyDoom variant peaked early, then phizzled
It has been reported that a new variation of MyDoom has been spreading on the Internet tonight. Like many of the previous variations of the MyDoom virus, the email appears to come from the ISP of the recipient and contains an executable or zipped attachment. Based on observations by many of the handlers and readers of the ISC, this new variant peaked around 5pm eastern wednesday, and started to get picked up by new anti-virus definitions around 10pm eastern.
Below is an example of the body
######### example ##############
Dear user <insert email address>,
Your email account has been used to send a huge amount of unsolicited
commercial email messages during this week. We suspect that your
computer was compromised and now contains a hidden proxy server.
We recommend you to follow the instructions in order to keep your
Have a nice day,
<insert domain name> support team.
######### /example ##############
An interesting note about this mydoom, bagle, beagle, netsky phenomenon is that there is a such a discrepancy between antivirus companies on naming/identifying these nasties. Granted, IDS vendors have the same issues with naming detects, as do Vulnerability Scanners. Funny thing is that since many of these bugs names have wrapped the alphabet twice, we may now start to append unicode chars to the end of them :-)
Here is a sampling of names submitted by one of our handlers:
AntiVir 22.214.171.124 02.17.2005 Worm/MyDoom.BB
AVG 718 02.17.2005 I-Worm/Mydoom.AP
BitDefender 7.0 02.17.2005 Win32.Mydoom.AQ@mm
ClamAV devel-20050130 02.16.2005 Worm.Mydoom.M-2
DrWeb 4.32b 02.17.2005 Win32.HLLM.MyDoom.54464
eTrust-Iris 126.96.36.199 02.17.2005 Win32/Mydoom.AU!Worm
eTrust-Vet 188.8.131.52 02.17.2005 Win32.Mydoom.AU
Fortinet 2.51 02.17.2005 W32/Mydoom.BB-mm
F-Prot 3.16a 02.17.2005 W32/Mydoom.AY@mm
Kaspersky 184.108.40.206 02.17.2005 Email-Worm.Win32.Mydoom.am
NOD32v2 1.1000 02.16.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 02.17.2005 MyDoom.AQ@mm
Panda 8.02.00 02.17.2005 W32/Mydoom.AO.worm
Sybari 7.5.1314 02.17.2005 I-Worm.MyDoom.AX
For more information on this variant of mydoom, please see:
Thanks to the always 31337 handlers: Scott Fendley and Tom Liston for helping out with this one :-)
ARCserve POC exploit has been released, Scanning has begun
Yet another target for the kiddies... there is a published exploit for CA's BrightStor ARCserve Backup buffer overflow and ISC readers are already noticing scans for it on TCP port 41523. (URLs updated by Jim Clausing, previous APAR withdrawn in favor of this new one)
(Added by Ed Skoudis): More detail can be found here: http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO64538&os=NT&returninput=0
Port 41523 TCP, got packets?
A number of people have written in with concern over an upswing in TCP port 41523 packets inbound. Has anyone seen any of these packets egressing from your network? ISC Handlers would be very interested in finding the malware (especially if it is different from the published exploit on k-otik) for this traffic. If you have seen this traffic, please save packets in tcpdump format. Also, if you see this traffic communicating inbound (not just SYN probes), we would be interested in seeing this too.
echo "mikepoorhandlerondutyisageek" | sed -e s/poor/\@/g -e s/isageek/\.com/g -e s/handleronduty/intelguardians/g
Please choose a specific diary above to comment