Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Doomjuice/MyDoom.C, Sharp Increase in port 445 and 139 scans

Published: 2004-02-09
Last Updated: 2004-02-10 00:48:01 UTC
by Dave Brookshire (Version: 1)
0 comment(s)
Doomjuice/MyDoom.C

A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.

More information and removal instructions are available at:

http://www.lurhq.com/mydoom-c.html
http://www.f-secure.com/v-descs/doomjuice.shtml
http://www.sarc.com/avcenter/venc/data/w32.hllw.doomjuice.html

Port 445 and 139

A sharp increase in the number of connections to ports 445 and 139 has been reported. The source of these has yet to be determined.


MyDoom Hype Fueled By Antivirus Software Vendors

Computerworld has a good article regarding the media hype that has been generated around the MyDoom worms. MyDoom is credited as the fastest spreading worms in history, but has not caused nearly the disruptions of Slammer and Blaster. Article is here:

http://www.computerworld.com/securitytopics/security/story/0,10801,89649,00.html

Handler on Duty: Dave Brookshire

Keywords:
0 comment(s)
Diary Archives