MyDoom.B is rapidly spreading, and using some new techniques in addition to features shown in yesterday's diary:
- MyDoom.B will replace the 'hosts' file on infected system. This file is used to override DNS resolution. If a system is infected with MyDoom.B, sites like support.microsoft.com, some anti virus sites (www.symantec.com, www.sophos.com, www.my-etrust.com and other) will no longer be reachable.
- There are reports that MyDoom.B will scan for systems which are infected with MyDoom.A, and it will upload itself to such systems.
- while MyDoom.A included code to launch a DDOS attack on www.sco.com, MyDoom.B modified the target host to www.microsoft.com
- closely monitor your network for excessive port 3127 traffic. It may pinpoint MyDoom.B infected systems. - MyDoom uses fake 'From' headers. DO NOT REPLY to infected messages. Some Antivirus filters will automatically notify the sender of an infected e-mail. Turn off this feature, as it may flood innocent bystanders.
Antivirus vendors are offering free removal tools. However, in particular for MyDoom.A, attempts have been observed to upload additional malware using the backdoor installed by the virus. A more thorough forensic analysis of the system may be necessary. Removal tools will only remove the specific virus, not any additional malware installed later.
- MSFT Details about how to restore the hosts file:
- Network Associates analysis:
- Trend Micro:
- Computer Associates:
Johannes Ullrich, firstname.lastname@example.org,http://isc.sans.org/contact.html
Feb 1st 2004
1 decade ago