Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-07-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Doubleclick DDoS'd, W32.Zindos.A Microsoft DoS, FXMYDOOM Feedback

Published: 2004-07-27
Last Updated: 2004-07-28 02:25:27 UTC
by John Bambenek (Version: 1)
0 comment(s)
Doubleclick DDoS'd

Around 10:30 EDT Doubleclick, a provider of web advertisements, started experiencing a massive denial-of-service attack on their DNS servers. This has caused a peripheral slowdown of other sites that use the Doubleclick service to serve ads on their webpages. Read more at:

http://www.washingtonpost.com/wp-dyn/articles/A18735-2004Jul27.html
W32.Zindos.A Microsoft DoS

The W32.Zindos.A worm which infects machines via the backdoor that Backdoor.Zincite.A opens (which is delivered by MyDoom.M) performs a DoS against the microsoft.com domain. Due to the buggy code, this will cause a machine to become slow and unresponsive due to repetitive infections of Zindos. For more information go to: http://securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html
FXMYDOOM Feedback

A user wrote in stating that the FXMYDOOM program would not completely clean up a system from all the processes. He gave the following steps to ensure a clean system.

1. Reboot into safe mode with networking support and sign in.

2. Run FXMYDOOM, downloadable from Symantec. Go onto step 3 while step 2 runs.

3. Visit the ?Run? sections of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER (full example path above) and delete any calls to:
<Br>
a. Javavm

b. Services

c. Tray (which will have a path to ********.exe listed in the data field)
Norton?s tool usually didn?t catch the ?javavm? or ?tray? entries on PC?s I worked on, so be on the lookout for them.


4. Once step 2 has completed, manually verify javavm.exe and services.exe are no longer in %windir%

5. Reboot into normal mode, ideally, user should sign-in. In absence of user, sign in yourself.

6. Once boot completes and taskbar fully loads check ?processes? tab to make sure there aren?t any extra ?services?, ?javavm?, or ?********.exe? files running. Note it is normal to have one copy of ?services? running on a PC. One copy, good. Two copies, bad.

7. Re-run step 2. Have user contact you if it finds any instance of mydoom on the PC.


---

John Bambenek, jbamb -at- pentex-net.com
Keywords:
0 comment(s)
Diary Archives