New Mydoom / Hurricanes
The Next Version of MyDoom
Chris Mosby alerted us to the latest strain of MyDoom.
The newest MyDoom variant ...
# contains its own SMTP engine for constructing messages
# harvests target email addresses from the victim machine
# forges the From: header of outgoing messages
# downloads BackDoor-CEB.c over HTTP
After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WinSPF" =
C:\WINNT\System32\winspf.exe
Additional, it copies itself to
* C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe
It tries to download BackDoor-CEB.c from these sites:
http://www.llc.unibo.it/
http://www.surrenderzeeland.nl/
http://www.mercyships.de/
http://www.hiw.kuleuven.ac.be/
http://www.ach.ch/
http://vugs.geog.uu.nl/
http://www.planetboredom.net/
http://guttorm.hveem.no/
Full descriptions are available at:
http://vil.nai.com/vil/content/v_128346.htm
http://www.sarc.com/avcenter/venc/data/w32.mydoom.s@mm.html
http://www.f-secure.com/v-descs/mydoom_u.shtml
Hurricanes
On behalf of the ISC, I'd like to extend our sympathy for those who have suffered a loss as a result of Hurricanes Charley and Frances.
While some of us have been personally inconvenienced, worried about the safety of friends and loved ones or suffered minor losses, when compared to the devastation in some parts of Florida and the Caribbean it becomes very easy to put things into perspective.
If you have any interesting perspectives on how your company protects it's systems from attack specifically before/during/after a natural disaster (like a hurricane or earthquake), drop us a note.
Chris Mosby alerted us to the latest strain of MyDoom.
The newest MyDoom variant ...
# contains its own SMTP engine for constructing messages
# harvests target email addresses from the victim machine
# forges the From: header of outgoing messages
# downloads BackDoor-CEB.c over HTTP
After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WinSPF" =
C:\WINNT\System32\winspf.exe
Additional, it copies itself to
* C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe
It tries to download BackDoor-CEB.c from these sites:
http://www.llc.unibo.it/
http://www.surrenderzeeland.nl/
http://www.mercyships.de/
http://www.hiw.kuleuven.ac.be/
http://www.ach.ch/
http://vugs.geog.uu.nl/
http://www.planetboredom.net/
http://guttorm.hveem.no/
Full descriptions are available at:
http://vil.nai.com/vil/content/v_128346.htm
http://www.sarc.com/avcenter/venc/data/w32.mydoom.s@mm.html
http://www.f-secure.com/v-descs/mydoom_u.shtml
Hurricanes
On behalf of the ISC, I'd like to extend our sympathy for those who have suffered a loss as a result of Hurricanes Charley and Frances.
While some of us have been personally inconvenienced, worried about the safety of friends and loved ones or suffered minor losses, when compared to the devastation in some parts of Florida and the Caribbean it becomes very easy to put things into perspective.
If you have any interesting perspectives on how your company protects it's systems from attack specifically before/during/after a natural disaster (like a hurricane or earthquake), drop us a note.
Keywords:
0 comment(s)
×
Diary Archives
Comments