Home
Up

MyDoom-C Variant Spreading Quickly - Update 2/12/04

Computerworld

Sophos

As the following articles discuss, a third variant of MyDoom is spreading rapidly (known as MyDoom-C or SyncZ this variant is already very active.  The following graphics show the activity of the MyDoom-C is quite active.  This is the exact same pattern that other major virus attacks followed; note the spike or two in port 3127 traffic a week or so before the attack.  Later, the virus becomes much more prevalent, seemingly "overnight".  Code Red, Nimda, and other major attacks show this pattern. 

Rate of attack on port 3127, which MyDoom-C uses to proliferate.

Some of the sources of the MyDoom-C virus.

It is important to make sure that your systems are updated with the latest patches & have the latest virus updates to defend against the rapid spread of MyDoom.  Already this virus is on the charts as the leading virus-of-the-week.  The following articles discuss the spread and precautions.

February 12 MyDoom.C Update Wednesday, 2/11/04 a new variant of the Doomjuice.B started spreading. The worm is a variant of Doomjuice.A, which first appeared Monday and is a variant of MyDoom.A. Experts said the new worm is one of the few known cases of a variant threat spawning another variant.

Like Doomjuice.B, Doomjuice.C attacks machines that already have been infected by either MyDoom.A or MyDoom.B. The worm looks for Windows machines listening on TCP Port 3127, which is used by the backdoor installed by MyDoom.A. Once it finds such a machine, Doomjuice.B loads a copy of itself on the new machine in a file named "regedit.exe" and also copies itself into the Windows registry. See the reference on the home page of www.knobology.com to the rate of increase on port 3127 within the last few days, indicating a rapid spread of this new worm.

Doomjuice.B also contains code that instructs infected machines to launch a distributed denial-of-service attack on Microsoft Corp.'s main Web site. Analysts who have looked at the code said that the new variant eliminates some of the coding errors that prevented previous DDoS attempts from being effective against Microsoft's systems.

The code dictates that machines will start attacks against the Microsoft site if the month is not January and the date is not between the eighth and the twelfth. This logic suggests that the attack should begin Friday, according to an analysis by Computer Associates International Inc., based in Islandia, N.Y.

There are also signs that attackers are hijacking PCs infected with one of the MyDoom worms and using them for other attacks, according to Ken Dunham, director of malicious code at iDefense Inc., based in Reston, Va. The machines also are being used to relay spam, Dunham said.

In addition to Doomjuice.B and .C, antivirus researchers have identified a fourth variant of MyDoom, known as MyDoom.D. The worm appears to be a close relative of the first MyDoom. The rate of spread of this worm is not known as of yet.

 

February 09, Computerworld - Third Mydoom variant discovered in the wild.
Yet another Mydoom variant has been found in the wild. Known as Mydoom.C or
SyncZ, the malicious code appears to be scanning the Internet for systems
already infected by the original Mydoom. When finding a vulnerable machine,
it uploads itself via TCP Port 3127, and creates a copy of itself in the
Windows System directory as "intrenat.exe" as well as several other files in
various Windows directories. This virus, like the Mydoom.B version before
it, attempts to find so-called zombie computers to launch a
denial-of-service (DoS) attack on Microsoft's Website. However, it does not
appear to seek to e-mail itself to other systems. This latest version is
unlikely to affect U.S. corporate networks that successfully defended
against the initial MyDoom virus, said Ken Dunham of security consulting
company iDefense Inc. However, with many home, small-business and overseas
systems potentially still infected, the worm has the potential of launching
a successful DoS attack against the Microsoft.com Website--which would
affect businesses that need to access that site for patches, updates and
other information. Source:
http://www.computerworld.com/securitytopics/security/story/0,10801,90005,00.html

Sophos10 February 2004

Doomjuice "plants evidence" on innocent computers. Is MyDoom author trying to hide in the crowd? asks Sophos

The Doomjuice worm drops MyDoom's source code on the user's hard drive
The Doomjuice worm drops MyDoom's source code on the user's hard drive

 

Sophos virus experts have an interesting theory on a peculiar payload of the W32/Doomjuice-A worm. The Doomjuice worm drops a copy of the prevalent W32/MyDoom-A's source code onto infected computers, possibly in an attempt to make it more difficult to convict the true author.

The Doomjuice worm drops a compressed copy of MyDoom's C source code into a number of directories on the infected user's PC. Detectives investigating the authorship of the MyDoom worm would normally treat discovery of the source code on a computer as a significant clue.

"There is already a $500,000 reward for information leading to the conviction of MyDoom's author," said Graham Cluley, senior technology consultant for Sophos. "If he has spread his code around the net onto innocent computers in an attempt to hide in the crowd, then he's more sneaky than the average virus writer."

"The other possibility is that MyDoom's author is spreading the code to encourage others to write copy-cat viruses which try and mimic MyDoom's global spread. The need for sensible security policies and multi-tier virus protection has never been greater," continued Cluley.

The Doomjuice worm attempts to launch a distributed denial of service attack against Microsoft's website: www.microsoft.com