Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Mydoom / Hurricanes

Published: 2004-09-09
Last Updated: 2004-09-14 02:31:01 UTC
by Chris Carboni (Version: 1)
0 comment(s)
The Next Version of MyDoom


Chris Mosby alerted us to the latest strain of MyDoom.


The newest MyDoom variant ...


# contains its own SMTP engine for constructing messages

# harvests target email addresses from the victim machine

# forges the From: header of outgoing messages

# downloads BackDoor-CEB.c over HTTP


After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WinSPF" =
C:\WINNT\System32\winspf.exe

Additional, it copies itself to

* C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe

It tries to download BackDoor-CEB.c from these sites:

http://www.llc.unibo.it/

http://www.surrenderzeeland.nl/

http://www.mercyships.de/

http://www.hiw.kuleuven.ac.be/

http://www.ach.ch/

http://vugs.geog.uu.nl/

http://www.planetboredom.net/

http://guttorm.hveem.no/


Full descriptions are available at:

http://vil.nai.com/vil/content/v_128346.htm
http://www.sarc.com/avcenter/venc/data/w32.mydoom.s@mm.html
http://www.f-secure.com/v-descs/mydoom_u.shtml



Hurricanes



On behalf of the ISC, I'd like to extend our sympathy for those who have suffered a loss as a result of Hurricanes Charley and Frances.


While some of us have been personally inconvenienced, worried about the safety of friends and loved ones or suffered minor losses, when compared to the devastation in some parts of Florida and the Caribbean it becomes very easy to put things into perspective.

If you have any interesting perspectives on how your company protects it's systems from attack specifically before/during/after a natural disaster (like a hurricane or earthquake), drop us a note.
Keywords:
0 comment(s)
Diary Archives