MyDoom.C Making Its Way Across The Net

Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.

Re:Dumbass alert

[bcore]

Anyone infected by email virii should have their internet access revoked for being too damn stupid. Stop opening every fucking attachment you get, morons!

Did you happen to notice the part where it said This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127?

Re:Part of the story?

[centralizati0n]

3127 is apparently the backdoor created by the other mydoom viruses. As another poster mentioned, its a giant botnet, now at someone's disposal.

no backdoor

[stev_mccrev]

This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines

It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.

This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.

Re:Any legit use for 3127?

[rusty0101]

It should be safe to block. I did a 'grep 312 /etc/services' and came back with only one hit, 3128 for Squid proxy. That should be blocked at your firewall as well, as having it available to external users can open your mail server to become a spam server if you have them both on the same network. So you could probably block the range 3120-9 with out any negative impact.

-Rusty

Re:Part of the story?

[mattjb0010]

Orange:~/PhD> cat /etc/services | grep 3127
ctx-bridge 3127/udp # CTX Bridge Port
ctx-bridge 3127/tcp # CTX Bridge Port

Re:Any legit use for 3127?

[grub]

Ideally a firewall is in a default deny state. That way you can open it up for things you know you need rather than missing something and having a hole into your LAN. If you followed that advice then you wouldn't need to worry about closing the port.

Re:MSN messenger?

[JackAsh]

MSN Messenger is down for me as well. I'm just glad to see that the Messenger Network Status [msn.com] page is up to the task of telling us if things are up or down (not!).

-JackAsh

Netcraft confirms it...

[hkfczrqj]

Microsoft is dying [netcraft.com].

Re:When will someone use this to their advantage?

[Anonymous Coward]

Whoa there baby... lest you forget what happened with Blaster last year? Someone wrote Welchia - which had a _very very very agressive_ ICMP scanning technique which brought many networks to its knees.

The univerisity I work at still has ICMP disabled because of Welchia.

Nimda

[tepples]

I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.

Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway [wired.com]. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.

It's an open source virus!

[tepples]

Doomjuice distributes source code for MyDoom.A [f-secure.com]

Making this one of the first high-profile open-source viruses?

<zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>

Re:MSN messenger?

[Anonymous Coward]

Possibly - cant say for sure, but if the actually MSN messanger works anything like the IM features of exchange 2k it does rely on an IIS webserver for most of it's functionality, if their webservers are the the same as used for MSN this could cause it.

Also, Netcraft is reporting that they are dropping requests without a user agent, and from logs on my windoze servers it appears the exchange version does not report one.

Re:Part of the story?

[PacoTaco]

Some PhD! You know, you can just do:

grep 3127 /etc/services

This just in...

[flamingweasel]

AV Software is a market created by the people who write the software. It provides only false security. I have never used antivirus software. Ever. Know how many viruses I've received in the last ten years? None. Here's my patent-pending method to keeping those evil hackers from putting their viruses on my computer.

1. Keep your computer patched
2. Don't be retarded
3. There is no step three.

Re:He won't get caught dude

[Anonymous Coward]

They were attacking SCO?
Hmm, only 25% of infected machines attacked SCO, the rest kept spreading the virus.
The attack on SCO was a cover. YHBT by a virus.

Take a look on Groklaw for a little info.

Port 3127

[retro128]

What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.

The writeup from Symantec is here. [symantec.com]

Re:Is it just getting started?

[t0ny]

Ya, and so was I. You can use an FTP server as your distribution point. You dont HAVE to point it at McAfee's FTP server.

He isnt 110% right on that point, because Ive set this up for serveral organizations.

Now, as I said, this may have changed with the newer versions: I cant say, because I havent used them. But with the 4.x versions, you can either manually enter the alternate FTP server, or just edit the registry settings via logon script (which is what I did). The only thing I *couldnt* do via registry changes was, strangely enough, enabling the ability to check for updates on a schedule. I could get tell it where, when, and how to get the updates, just not to actually do it. This also wasnt in any config file either; I have no idea how it saved that info.

Re:Head Explodes MS Security report by Gartner

[myg]

E-mail should not carry files. Simple as that. If e-mail programs made getting an attachment out cumbersome and require a command line; this wouldn't have happened.

People just need to understand that e-mail is not a file transfer mechanism. If they want they can put a URL in the e-mail pointing to their file but then you have some kind of accountability at least (and web browsers should not download executable files without a fuss too).

There is almost no reason why anybody would need to send anybody else executable code. And for the one rare instance where I have had to send an executable to a windows user (a demo of my software) I found it dfficult as it is the user had to be instructed how to save and then execute it.

Re:mydoom source

[Anonymous Coward]

So you're trying to tell me that .sh, .pl and .py scripts *aren't* associated with anything on your KDE desktop? Last time I used KDE - they were.

1 Attachment, (20k) "merry_xmas.jpeg
(lots of spaces)
.py"

Click on that in Linux and it could fuck you any which way it wanted to - no matter what system you were running. An instant cross-platform virus that's more likely to work on Linux than Windows (because Python is more likely to be installed).

The script could even contain an embedded image that it decompresses and starts with the web browser - so the user doesn't notice anything went wrong.

Repeat with Perl or csh scripts as necessary until Linux users get the message that Linux is not an event of the same order of magnitude as the 2nd coming of Christ. I mean, what moron decided plain text files were going to be executable simply by having a "#!env perl" in the first line? You don't even need the file extension with Unix.

Re:This just in...

[Cynikal]

um how did this get a +5? does anyone see the self defeating retardedness of the statement? "I have never used antivirus software. Ever. Know how many viruses I've received in the last ten years? None."...

just question.. how can you confirm that you have never recieved a virus if you never run an antivirus? so either you

a) dont have a computer (then all statements = true) or
b) you have your head up your ass (can i email you at your @micosoft.com work address?)

i have like a million analogies for this to put it in better perspective, but if you dont get my point by now, i dont *want* you to read/comment on my posts.

oh and if you think patches will protect you from all the virii out there, then buddy, you just broke rule #2... and here's a paper clip for that gaping wound.

Re:MyDoom

[kiwioddBall]

I read somewhere that MyDoom was named because the virus when viewed in an ASCII viewer contains an amount of freetext that was meant to say 'mydomain' but instead it was mis-spelt in the virus to say 'mydoomain' - hence MyDoom.

work-around ...

[Anonymous Coward]

i installed Kerio personal firewall
on all my compis.

then i did a portscan on to all
the maschines ("cbps.exe" from www.bluebitter.de)

the firewall will pop-up and alert that
there's a incoming cnnection.
i told the firewall to create a rule and
block the port(s) (incoming and outgoing)
permanentally.

also don't not surf as ROOT/ADMIN.
if you catch the worm as a normal user
your account won't have enough privileges
to write to "%SYSTEMROOT"

i'm not infected. works for me.

all this worm business really shows
how many people have NO CLUE about
computers. i just hope marketing isn't going
to base their next product on the likes
of these people, or we'll have a one button
computer in a few years time (but then again
prolly the guy infected is a guy working
in marketing *yawn*)

Re:backscatter

[hacker]

:0 B
* ^*Content-Disposition: attachment;
* filename=".*\.(pif|scr|bat|cmd|com)"
/var/spool/m ail/SPAM

:0 B
* ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
/var/spool/m ail/virus

Re:mydoom source

[archen]

And you're still safe from people doing that if you mount /home with noexec.