MyDoom.C Making Its Way Across The Net 519
Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
Re:Dumbass alert (Score:2, Informative)
Did you happen to notice the part where it said This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127?
Re:Part of the story? (Score:5, Informative)
no backdoor (Score:5, Informative)
This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines
It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.
This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.
Re:Any legit use for 3127? (Score:5, Informative)
-Rusty
Re:Part of the story? (Score:2, Informative)
ctx-bridge 3127/udp # CTX Bridge Port
ctx-bridge 3127/tcp # CTX Bridge Port
Re:Any legit use for 3127? (Score:5, Informative)
Ideally a firewall is in a default deny state. That way you can open it up for things you know you need rather than missing something and having a hole into your LAN. If you followed that advice then you wouldn't need to worry about closing the port.
Re:MSN messenger? (Score:4, Informative)
-JackAsh
Netcraft confirms it... (Score:5, Informative)
Re:When will someone use this to their advantage? (Score:1, Informative)
The univerisity I work at still has ICMP disabled because of Welchia.
Nimda (Score:5, Informative)
I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.
Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway [wired.com]. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.
It's an open source virus! (Score:4, Informative)
Doomjuice distributes source code for MyDoom.A [f-secure.com]
Making this one of the first high-profile open-source viruses?
<zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>
Re:MSN messenger? (Score:1, Informative)
Also, Netcraft is reporting that they are dropping requests without a user agent, and from logs on my windoze servers it appears the exchange version does not report one.
Re:Part of the story? (Score:4, Informative)
grep 3127 /etc/services
This just in... (Score:2, Informative)
Re:He won't get caught dude (Score:1, Informative)
Hmm, only 25% of infected machines attacked SCO, the rest kept spreading the virus.
The attack on SCO was a cover. YHBT by a virus.
Take a look on Groklaw for a little info.
Port 3127 (Score:5, Informative)
The writeup from Symantec is here. [symantec.com]
Re:Is it just getting started? (Score:3, Informative)
He isnt 110% right on that point, because Ive set this up for serveral organizations.
Now, as I said, this may have changed with the newer versions: I cant say, because I havent used them. But with the 4.x versions, you can either manually enter the alternate FTP server, or just edit the registry settings via logon script (which is what I did). The only thing I *couldnt* do via registry changes was, strangely enough, enabling the ability to check for updates on a schedule. I could get tell it where, when, and how to get the updates, just not to actually do it. This also wasnt in any config file either; I have no idea how it saved that info.
Re:Head Explodes MS Security report by Gartner (Score:2, Informative)
People just need to understand that e-mail is not a file transfer mechanism. If they want they can put a URL in the e-mail pointing to their file but then you have some kind of accountability at least (and web browsers should not download executable files without a fuss too).
There is almost no reason why anybody would need to send anybody else executable code. And for the one rare instance where I have had to send an executable to a windows user (a demo of my software) I found it dfficult as it is the user had to be instructed how to save and then execute it.
Re:mydoom source (Score:1, Informative)
The script could even contain an embedded image that it decompresses and starts with the web browser - so the user doesn't notice anything went wrong.
Repeat with Perl or csh scripts as necessary until Linux users get the message that Linux is not an event of the same order of magnitude as the 2nd coming of Christ. I mean, what moron decided plain text files were going to be executable simply by having a "#!env perl" in the first line? You don't even need the file extension with Unix.
Re:This just in... (Score:3, Informative)
just question.. how can you confirm that you have never recieved a virus if you never run an antivirus? so either you
a) dont have a computer (then all statements = true) or
b) you have your head up your ass (can i email you at your @micosoft.com work address?)
i have like a million analogies for this to put it in better perspective, but if you dont get my point by now, i dont *want* you to read/comment on my posts.
oh and if you think patches will protect you from all the virii out there, then buddy, you just broke rule #2... and here's a paper clip for that gaping wound.
Re:MyDoom (Score:2, Informative)
work-around ... (Score:1, Informative)
on all my compis.
then i did a portscan on to all
the maschines ("cbps.exe" from www.bluebitter.de)
the firewall will pop-up and alert that
there's a incoming cnnection.
i told the firewall to create a rule and
block the port(s) (incoming and outgoing)
permanentally.
also don't not surf as ROOT/ADMIN.
if you catch the worm as a normal user
your account won't have enough privileges
to write to "%SYSTEMROOT"
i'm not infected. works for me.
all this worm business really shows
how many people have NO CLUE about
computers. i just hope marketing isn't going
to base their next product on the likes
of these people, or we'll have a one button
computer in a few years time (but then again
prolly the guy infected is a guy working
in marketing *yawn*)
Re:backscatter (Score:3, Informative)
Re:mydoom source (Score:2, Informative)