Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-02-03 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MyDoom.A Timeline, MyDoom.B DDoS a Non-Event

Published: 2004-02-03
Last Updated: 2004-02-04 03:06:11 UTC
by Tom Liston (Version: 1)
0 comment(s)
Not a whole lot of stuff going on today... MyDoom.A is still filling in-boxes, while MyDoom.B, which was initially greeted with dire predictions, seems to have been a dud.



If you're involved in the cleanup of an infected system, it is important to remember that beyond simply spamming the world, MyDoom.A opens a backdoor starting at port 3127 TCP. Any infected system directly connected to the Internet could have been further compromised and should seriously be considered as a candidate for a complete reinstall.



MyDoom.A Timeline



Panda Software has published a MyDoom.A timeline which can be found at:



http://www.net-security.org/virus_news.php?id=359



While we have heard many theories about possible mechanisms behind the rapid spread of MyDoom, examination of compromised machines and the code itself does not indicate a cause beyond the simple fact that even in today's Internet aware world, people still execute attachments. User education needs to become a priority.





MyDoom.B DDoS a Non-Event



The February 3rd deadline for the MyDoom.B virus DDoS against www.microsoft.com passed without having any effect on the availability of of Microsoft's website. The website of The SCO Group (www.sco.com), apparently the target of a DDoS by MyDoom.A, is still unavailable. The "A" record for the "www" server was removed from the "sco.com" DNS entry on February 1 in an attempt to mitigate the expected attack.



----------------------------------------------------------------

Handler on Duty: Tom Liston - http://www.labreatechnologies.com
Keywords:
0 comment(s)
Diary Archives