Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Doomjuice/MyDoom.C, Sharp Increase in port 445 and 139 scans - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Doomjuice/MyDoom.C, Sharp Increase in port 445 and 139 scans
Doomjuice/MyDoom.C

A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.

More information and removal instructions are available at:

http://www.lurhq.com/mydoom-c.html
http://www.f-secure.com/v-descs/doomjuice.shtml
http://www.sarc.com/avcenter/venc/data/w32.hllw.doomjuice.html

Port 445 and 139

A sharp increase in the number of connections to ports 445 and 139 has been reported. The source of these has yet to be determined.


MyDoom Hype Fueled By Antivirus Software Vendors

Computerworld has a good article regarding the media hype that has been generated around the MyDoom worms. MyDoom is credited as the fastest spreading worms in history, but has not caused nearly the disruptions of Slammer and Blaster. Article is here:

http://www.computerworld.com/securitytopics/security/story/0,10801,89649,00.html

Handler on Duty: Dave Brookshire

Dave

17 Posts

Sign Up for Free or Log In to start participating in the conversation!