MyDoom Windows Worm DDoSing SCO 694
We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.
According to Symantec... (Score:3, Informative)
Re:Something Doesn't Add Up (Score:2, Informative)
dupe (Score:2, Informative)
There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.
So tell me again, what new information did we learn between now and then. Looks like slashdot just loves SCO stories to me, even if they are repeats.
--
In London? Need a Physics Tutor? [colingregorypalmer.net]
American Weblog in London [colingregorypalmer.net]
Funny, I think: (Score:5, Informative)
Re: Understand though... (Score:2, Informative)
I received three of these yesterday, and it's been ages since I received anything with a virus. Must be massive.
DDoS (Score:4, Informative)
Re:Transmission require OE? (Score:5, Informative)
It has a hidden payload, you FOOLS (Score:3, Informative)
W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.
Re:I don't get the joke... (Score:3, Informative)
Here is my attempt to render an explanation... (Score:3, Informative)
It is a regex [regular-expressions.info] statement. Essentially, the string typically instructs a language interpreter (PERL, for instance) to search for a pattern and subsequently replace it.
In this case, it is replacing any instances of "is" with "eir"; thus, the following alteration is committed:
Before: but it's always sad to watch someone stoop to this level
After: but it's always sad to watch someone stoop to their level
Get your facts straight... (Score:5, Informative)
The graphs that are linked to in the /. story simply illustrate that SCO's shxt keeps on crashing - which is not really suprising after Darl had to fire the network admin to feed his Lawyer habit.
Re:Something Doesn't Add Up (Score:4, Informative)
Actually, there is... but in sending an email to others who know your email address. For example, I got 3 messages yesterday which contained this virus. Now, from what I understand, this worm pulls email addresses from one's computer, and sticks those addresses in the 'from' field. One of those emails I received was "from" the United States Air Force Band's Singing Sergeants Yahoo Group. That's pretty specific, so I sent everyone I know (who runs windows) a message saying, basically, that if you know of the Singing Sergeants, or these few other email addresses, then it's likely you have this worm.
Sending a "you gave me a virus" email to whomever is in the 'from' field is pretty useless, but the above tactic may prove helpful for this particular worm. At the very least, it lets other (possibly less-informed) folks know there's a worm about, and reminds them to practice good email usage (not opening unexpected attachments, etc.) and to update their anti-virus software.
Re:Change domain (Score:2, Informative)
The dDOS was just aimed at the first one, whilst all links (web and local) to Windows Update point at the other one. The attack was therefore not hugely disruptive, especially once a nice layer of properly hardened computers [openbsd.org] was in the way.
According to NetCraft, SCO is currently pinging at about the 16 second mark - are there really that many computers with fast clocks, or is it bad coding, or is something else happening here? Feb 1st is supposed to mark the start of the GET storm.
Meanwhile, for Postfix admins... (Score:5, Informative)
I just created and installed a Postfix remedy for this recent deluge, and thought I'd pass it on.
In main.cf, insert this:
body_checks=pcre:/etc/postfix/virus_body_checks
Create a file virus_body_checks containing this:
/^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a virus.
If anyone has an improved solution, let me know, but this seems to work.
On the contrary.... (Score:2, Informative)
Re:Meanwhile, for Postfix admins... (Score:3, Informative)
* ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
Does this work for everybody? We haven't gotten another e-mail since implimenting it.