Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

New Worms Feed on MyDoom Infections 243

JJP writes "ZDNet Australia is reporting that two new worms, Doomjuice and Deadhat, are taking over computers previously infected by the MyDoom virus. Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work. Whilst the threat these two worms pose shouldn't be too big, both needing a MyDoom backdoor, it is still a novel way to spread a virus. In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."
This discussion has been archived. No new comments can be posted.

New Worms Feed on MyDoom Infections

Comments Filter:
  • Get a Mac (Score:5, Insightful)

    by BWJones ( 18351 ) * on Thursday February 12, 2004 @03:16PM (#8261185) Homepage Journal
    This reminds me of that old ad which opens with a guy was trying to hook up his laptop at a huge meeting to start a presentation. He is having problems getting things to work and people are yelling suggestions from the audience: "Try c: start!" or something like that. This goes on for some time with different people yelling various suggestions and then at the very end when it appears things are not going to work, someone yells: "get a Mac!" The ad then fades out.... I suppose for the Linux crowd, the yell could be "get a Penguin" or "get a boxen", but the sentiment is the same: Do something.....Do anything......but do not continue to use that unsecured Windows box. You are wasting your time and you are wasting my time and costing companies, businesses and governments big time.

    • by Denver_80203 ( 570689 ) on Thursday February 12, 2004 @03:17PM (#8261198)
      I hear those are safe too.. and just as useful to me in my busniess as a Mac.
    • Re:Get a Mac (Score:5, Interesting)

      by IthnkImParanoid ( 410494 ) on Thursday February 12, 2004 @03:20PM (#8261240)
      Funny you suggest either buying a whole new machine, or using a whole different OS, when the MyDoom problem could just be solved by not opening attachments.

      I'll just ask: is it possible for a binary file to open ports and send itself as an email attachment on a Mac? On a linux box? Are you sure you understand the problem?
      • Re:Get a Mac (Score:2, Insightful)

        by Frymaster ( 171343 )
        could just be solved by not opening attachments.

        anything else i should avoid doing? i think you amply illustrate the point that the virusmania has reduced the usability of windows.

        with my linux box and mac i can do whatever i want - including open attachments... i bought a computer so i could use it.

        is it possible for a binary file to open ports and send itself as an email attachment on a Mac?

        do you mean, "can i telnet 25 to another host"? well, yes. i hope that was a rhetorical question.

        if you me

        • Re:Get a Mac (Score:5, Interesting)

          by Dionysus ( 12737 ) on Thursday February 12, 2004 @03:39PM (#8261494) Homepage

          with my linux box and mac i can do whatever i want - including open attachments... i bought a computer so i could use it.

          To be infected by MyDoom, you would have to open the attachment and run the binary.

          if you mean, "can i fire up an mta and start spraying email all over creation"? then the answer is only if you have root. and if that virus has root... well, you've got bigger problems.

          Eh, no. You don't have to be root to "spray email all over creation". Outgoing connections usually use unprivileged ports. And to accept incoming connection without root, you just need to listen to a port above 1024.

        • Why exactly do I need to be root to send mail? All i need to do is open a connection to some mta on port 25. That does not require root privilages. Do you need to be root to run elm, mutt, pine, evolution, insert mua here? No you may need root to do other evil things like insert the worm into the boot process, or hide from the process list. But in reality these thing are over rated, if your someone who excutes attachments are you going to pay attention to the running proccesses? And if you never reboot
          • Why exactly do I need to be root to send mail? All i need to do is open a connection to some mta on port 25.

            sigh. i offered two options - open a connection on 25, which i referred to as "telnet 25" because i am old, for which root is not required, and start up the mta (postfix on panther) for which you do need to be root.

            • Re:Get a Mac (Score:3, Informative)

              by Kenja ( 541830 )
              MyDOom has its own SMTP server built into it. All it needs is access to outgoing ports. Thats it, nothing more. You would not need root access for it to work. You would just need to be dumb enough to download the attachment and run it. Just like people are doing on Windows.
              • Re:Get a Mac (Score:2, Informative)

                by Anonymous Coward
                People aren't downloading and running an executable. They are double-clicking on an attachment or whatever. Then, since windows is all about being integrated and since most user run as "root" in Windows, it's allowed to get set up as a daemon and install itself to be loaded whenever a machine boots. In my opinion, it's the general design of the Windows operating system that is at fault. Loading an attachment (zip file was the big one at my place of work) shouldn't install a damn virus.
              • Re:Get a Mac (Score:3, Insightful)

                by BiggyP ( 466507 )
                so, on linux, i'd download the attachment, run it through unzip, make the binary executable, then run it? not bloody likely, -1 for usability maybe, but definately +3 for safety around newbies.

                of course i'm sure on KDE with some WINE integration it could be so much quicker and easier...
        • Re:Get a Mac (Score:3, Interesting)

          My point is that the Windows' inherent insecurity is not the cause of MyDooom and, more specifically, the latest worms mentioned in the submission.

          Yes, the question was rhetorical, and the point is an app can start accepting connections on a given port (which is how the latest worms are spreading) no matter what your OS. It's possible to firewall everything and require admin access to open ports on Linux and OSX, but hey, it's possible on Windows too. Bad sysadmins and clueless users are a problem on ev
    • Re:Get a Mac (Score:4, Insightful)

      by Matey-O ( 518004 ) * <michaeljohnmiller@mSPAMsSPAMnSPAM.com> on Thursday February 12, 2004 @03:22PM (#8261272) Homepage Journal
      Bullshit. There's NO reason why a windows box can't be just as stable and secure as any alternative. None (and I mean ZERO) machines on our network were affected by any of the mydoom variants.

      Sane creation of a network topology, email subsystem, proactive network monitoring, and general patch management is NECESSARY to operate a large internet connected environment, reguardless of the Operating System of Choice.

      (and to head off the usual Mac'noids, show me a mac based application that scans, OCRs, and backs up to multiple Optical drives 20,000 documents an hour.)
      • Re:Get a Mac (Score:2, Insightful)

        We are talking about end users, and yeah Windows security is abysmal.
      • by Anonymous Coward
        (and to head off the usual Mac'noids, show me a mac based application that scans, OCRs, and backs up to multiple Optical drives 20,000 documents an hour.)

        There's NO reason why a Mac box can't do the exact same thing as any alternative. Sane creation of network topology, data backup subsystem, and general intelligence is NECESSARY to operate a large backup operation, regardless of the Operating System of Choice.
      • by Azureflare ( 645778 ) on Thursday February 12, 2004 @03:38PM (#8261493)
        Talk about overreacting. But, you proved the grandparent posters point. You are obviously not a user who needs to switch to a mac. You know what you are doing.

        These people STILL infected with MyDoom don't know the first thing about computer security. They would be MUCH MUCH better off with a Mac than with windows. All they probably do anyway is chat with their little friends on AIM and check their webmail.

        It's obvious that windows is NOT the perfect OS for clueless newbie users, because it leaves gaping holes for them to be abused through. Think about it from the newbie point of view, not the experienced user point of view.

        Thank you.

        • So explain how using a Mac will stop people from downloading a file from Kaza or what not and double clicking on it. If enough dumb users are using a Mac some one will just release MyDoom.Mac as an app called OfficeXp-Macintosh-Crack.app
        • by ball-lightning ( 594495 ) <spi131313@yahoo.com> on Thursday February 12, 2004 @03:52PM (#8261647)
          These people STILL infected with MyDoom don't know the first thing about computer security. They would be MUCH MUCH better off with a Mac than with windows. All they probably do anyway is chat with their little friends on AIM and check their webmail.


          And that's great, until Macintosh's become popular enough for viruses to be written for them (at which point its going to be a massacre). A guy I work with owns a Macintosh, and he brags about how he doesn't need to run any antivirus program and how he can open all attachments. If a virus like MyDoom was created for the Macintosh, how much you want to bet my coworker (and people like him) would get infected right away, because they aren't using common sense? Windows may be buggy, and windows may have a lot of security holes, but in this case, MyDoom does not take advantage of any of them MyDoom takes advantage of the traditional weakest link in any security system, people.
        • These people STILL infected with MyDoom don't know the first thing about computer security.

          You make some excellent points. And, *why* should the average person *be* an expert on computer security? Why *WHY* should average users need to hassle with patching their box every *fucking* week? I've resisted the Mac for years (price has kept me away), and now have several Linux boxes in addition to my Win boxes, but...

          It's obvious that windows is NOT the perfect OS for clueless newbie users

          Linux just isn't ther

      • Re:Get a Mac (Score:3, Insightful)

        Sane creation of a network topology, email subsystem, proactive network monitoring, and general patch management is NECESSARY to operate a large internet connected environment, reguardless of the Operating System of Choice.

        You realize, of course, that the average computer user wouldn't even _understand_ this sentence, much less be able (or willing?) to implement your suggestions.

        You may be right in theory, but for unskilled (read: average, normal) users in the real world, Macs are currently the safe choi
      • Re:Get a Mac (Score:2, Interesting)

        by RancidBeef ( 412397 )
        Well, that's true to a degree. I have several Windoze boxes (on VMWare virtual machines) that I'm responsible for. However, I've noticed that if I do a fresh install with the Win2K disk on a new VM the damn thing gets the Blaster worm (or even Code Red or Nimda) before I can even install the latest service pack. Yeah, I know I should disconnect it from the net until I get the SP installed, but that's a pain in the ass too because that means I have to keep a CD around with all the SPs. As I understand it,
    • by Anonymous Coward
      My Windows box is much better than some stupid ol' Mac. My system installs software ALL ON ITS OWN! Heh, yeah. This software makes my system do things I couldn't have done even if I tried...like sending mail to a bunch of people I haven't even met.

      My system is part of a new global network. Your Mac just sits there and runs. :-P
    • Re:Get a Mac (Score:5, Informative)

      by Moridineas ( 213502 ) on Thursday February 12, 2004 @03:51PM (#8261634) Journal
      Don't mean to be pedantic--but you wouldn't say "get a boxen" because boxen is plural.

      etymologically it's an old way (well, old in English) of pluralizing that we only see in a few words...child children, brother brethren is similiar too. Interestingly enough, Persian being an Indo-European language has it too--Taleban (-an) is students (pl).
  • Proofs? (Score:3, Funny)

    by petabyte ( 238821 ) on Thursday February 12, 2004 @03:18PM (#8261211)
    Hmm, it "proofs" eh? Maybe we could get it installed on slashdot to proof all stories as they're posted. :)
  • Deadhat (Score:3, Funny)

    by Anonymous Coward on Thursday February 12, 2004 @03:19PM (#8261219)
    Is that the new BSD release?
  • Proof? (Score:5, Funny)

    by Srividya ( 746733 ) on Thursday February 12, 2004 @03:19PM (#8261223) Homepage
    No proof yet... BBC says MyDoom spread by Linux users to hurt SCO, Linux users say MyDoom spread by spammers to hurt everyone, spammers say MyDoom spread by BIGGER PENIS NOW... Who to believe?
  • by UFNinja ( 726662 ) on Thursday February 12, 2004 @03:19PM (#8261225)
    this proofs MyDoom was initialy spread by organised crime. . .

    I think it "proofs" that the editors don't proofread the submissions. :-P
  • AIM (Score:4, Interesting)

    by nycsubway ( 79012 ) on Thursday February 12, 2004 @03:19PM (#8261233) Homepage
    I wonder if those random IMs I got in AIM are related to MyDoom. I got a couple random messages about capturing Osama Bin Laden from people i have talked to in ages. Seems like some sort of virus. Anyone else have that happen?

  • Ok.. (Score:3, Funny)

    by hookedup ( 630460 ) on Thursday February 12, 2004 @03:20PM (#8261236)

    Here's an idea..

    Next time, if you're going to post a link that you have to register for, at least make sure it's in english.
  • by FortKnox ( 169099 ) on Thursday February 12, 2004 @03:20PM (#8261238) Homepage Journal
    In other news, by looking at the same day's news from the Netherlands, you'll see they just released "Deus Ex" and "Deus Ex: Invisible War." Conspiracy Theories have quadrupled since.
  • Thread? (Score:4, Funny)

    by $-chavito-$ ( 732968 ) on Thursday February 12, 2004 @03:20PM (#8261245)
    I hate it when those sneaky Windows worms pose as threads, it makes em that much harder to catch.

  • dark plot to wage cyber-war and steal confidential data from our computers."

    ...I wish that this sinister plot was met with terabytes/second of "confidential data" like, oh, free viagra offers, Nigerian 419 scams, Add 3 inches, etc...

  • DoomNet... (Score:5, Interesting)

    by LostCluster ( 625375 ) * on Thursday February 12, 2004 @03:20PM (#8261247)
    MyDoom's backdoor has been demonstrated by DoomJuice and now the copycats are at it. There's now network of zombies willing to do the bidding of anybody who hacks in... remember, the MyDoom name is based on a typo, the author wanted to call it MyDomain.

    I guess the only positive side effect is that some of these DoomJuice variants are closing the back door from the original MyDoom so that nobody else can interfere with them. Now, if only there was a MyDoom uninstaller worm that didn't have another distructive payload...
    • Re:DoomNet... (Score:2, Informative)

      Actually, according to many [symantec.com] sources [f-secure.com] Deadhat/Vesser came before DoomJuice. So technically DoomJuice is the copycat. There's also a new [symantec.com] variant [f-secure.com] of Welchia that makes use of MyDoom backdoor and then tries to remove it.
      • Re:DoomNet... (Score:3, Informative)

        by httptech ( 5553 )
        Vesser was discovered before Doomjuice, but if you look at the PE timestamp header, you see that Deadhat/Vesser was compiled on Tue Feb 4 06:23:59 2003, while Doomjuice was compiled on Tue Jan 27 06:22:58 2004. While the PE timestamp field can be easily edited, these dates are probably accurate in my opinion. So, Doomjuice can't be considered a copycat of Vesser.

        My writeup of Doomjuice: http://www.lurhq.com/mydoom-c.html [lurhq.com]

    • remember, the MyDoom name is based on a typo, the author wanted to call it MyDomain

      Almost right. MyDomain was apparantly a variable in the code (uhh, then I am guessing VB code?) and he spelled it MyDoomain.

  • by Kehl ( 663202 ) on Thursday February 12, 2004 @03:21PM (#8261250) Homepage
    ... the now defunct "RedHat" Linux distro?

    Way to go on damming Linux users reputation :/
  • Virus names (Score:5, Funny)

    by Anonymous Coward on Thursday February 12, 2004 @03:21PM (#8261255)
    Do you think people come up with a clever virus name or the virus first?
  • this proofs [sic] MyDoom was initialy spread by organised crime

    Either that, or a bunch of smart, bored kids in the Netherlands...
  • by saskboy ( 600063 ) on Thursday February 12, 2004 @03:23PM (#8261293) Homepage Journal
    "In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war..."

    If organized crime was looking to steal data, all they had to do is ask people. Hundreds of people hand over their eBay, PayPal, and credit card information every day to phisher emails claiming to be from a legit company. Making a worm to steal the information isn't even necessary when the user is already the weakest link after being socially engineered.
    • What you described is just a standard-grade cyber scam.

      If organized crime is behind MyDoom, then it certainly allows them to upgrade to a cyber war. MyDoom takes a territory of the Internet over, otherwise innocent user's PCs suddenly do the work of the hackers. No longer would this crime group need to rent out or hack individual servers to run cyber-scams, MyDoom's backdoor gives them full invisible control the hacked PCs, including the ability to harvest random users' indenties and contacts.
      • by saskboy ( 600063 ) on Thursday February 12, 2004 @03:39PM (#8261497) Homepage Journal
        But nothing is new with MyDoom. Maybe the intent, but there are still dozens of active viruses out there with back door capabilities that could be exploited by crime, or by spammers [which are criminals I suppose].

        Why commit computer crimes from your own machines, when you can do it from another person's, and in fact connect to a 2nd or 3rd infected machine from the first infected machine to add another layer of dificulty to any investigation?

        The ability to harvest contact information exists in a simple forwarded joke email. This is not advanced "war" stuff. If it was advanced, people wouldn't have noticed.
        • The difference between killing as street murder and killing as an act of war lies simply in the volume and intent. We're crossing the line into war because MyDoom is a much bigger problem than any obscure exploit.
  • Posing "threads" (Score:3, Insightful)

    by AndroidCat ( 229562 ) on Thursday February 12, 2004 @03:24PM (#8261307) Homepage
    Viruses that install backdoors aren't new. And scanning to look for the backdoors isn't new. MyDoom.A got big press, spread far, and now (especially since it's now open source :) there are going to be a lot of people taking advantage of it.

    All the speculation about who did it or even why is still speculation. (If someone hated SCO so much, why stop after two weeks?)

    • Not to mention, DoomJuice appears to have come from the original author, which saves the copycats a lot of time in figuring out how to exploit the new flaw.

      In fact, it seems all these people need to do is change the payload of DoomJuice to fit their specific wishes. One letter is not going to be enough to keep all the DoomJuice.* variants straight.
  • Could please someone find their owners and make sure they never get to operate a computer connected to a public network again? They have clearly shown not to be qualified, and are a threat to others.
  • by burgburgburg ( 574866 ) <splisken06.email@com> on Thursday February 12, 2004 @03:26PM (#8261335)
    creator of the original MyDoom and was leaving a copy of the source of MyDoom on the hard disk. The thoughts were that: a) only the creator of the original would have the source to include as part of Doomjuice's payload and b) if "everyone" had a copy of the source on their hard disk, it would be difficult to prove that any one person was responsible for originally writing it (assuming their computer was found/confiscated/examined).
    • by LostCluster ( 625375 ) * on Thursday February 12, 2004 @03:41PM (#8261525)
      The problem was, by releasing Doomjuice, that author has effectively released an open source program to exploit what I'm calling "DoomNet", the network formed by the PCs infected with MyDoom that haven't been cleaned up yet.

      So, effectively we've got worm-writing for dummies now. No need to write new full-featured virus, nor even the need to know how to exploit an obscure security hole. Just take DoomJuice and add your own payload...
  • I wonder (Score:5, Interesting)

    by bigattichouse ( 527527 ) on Thursday February 12, 2004 @03:26PM (#8261339) Homepage
    Not that I would condone the activity, but I'm surprised someone hasn't made an email virus that installs an OS on the machine. I would find this in incredible violation of ones choice, but I still won't be surprised when it happens.
    • I'm surprised someone hasn't made an email virus that installs an OS on the machine.

      Too many problems with that... Boot sectors are more or less locked down by your standard anti-virus program. Unless the virus installs an already-infected copy of the new operating system, it wouldn't be able to use past infections as zombies.
    • There was this BeOS installer that was started from Windows, without having to reboot from a CD. Just take that or something similar (ISTR some old Linux distro that did the same) and mail it around, obviously people will simply execute anything they find in their inbox.
    • There'd be little point to this, since it even the most oblivious users would tell a difference when they don't see the Windows logo when they boot and they can't find Word.

      Now, a more plausible thing would be to install Cygwin. The user won't see any difference but suddenly their computer has become a lot more useful of a platform from which to launch attacks.
    • Re:I wonder (Score:3, Insightful)

      50MB email attachments don't work so well.
    • Re:I wonder (Score:2, Interesting)

      by Eberlin ( 570874 )
      Unless you're looking at a really small OS, it's a payload/bandwidth issue. As fun as it would have been to network-install SuSe on people, it has got to be darn slow on a dial-up line. Besides, all that downloading slows down the "virus" propagation.

      Now imagine a worm that would go through an IIS-based system, backup all their ASP files and fish for anything SQL Server-related onto a remote server, install LAMP, run ASP2PHP on those ASP files, "restore" them to the server, and electronically file for a
  • Old news [slashdot.org] RTF./
    How hard is to click on the icon [slashdot.org] on the side of the article before posting a new article?
    • This is starting to seem like a cyber version of 9/11/01. So many new worms are being reported so quickly that it's starting to become hard to keep the different stories straight. It seems to magnify the effect of fear to have multiple events on top of each other rather than one at a time...
  • by addie ( 470476 ) on Thursday February 12, 2004 @03:28PM (#8261367)
    Maybe these guys should just start hard rock bands: MyDoom, DoomJuice, DeadHat... It's like when I worked at LaserQuest and had to listen to all the stupid ideas kids had for their codenames.

    What's next, ThunderCat? MrDoom? Anyone smart enough to write a virus this effective must be more imaginative than this!
  • I wouldn't really say this is a novel idea. It seems kind of obvious to me. Worm leaves a gaping hole...write something to exploit gaping hole. duh.
    • What's new is that it appears the creator of the gaping hole put out a sequel worm that exploits the hole. No need to understand virus propogation techniques anymore, those who want to exploit the hole for their own use just need to reprogram the payload part of DoomJuice...
    • I wouldn't really say this is a novel idea. It seems kind of obvious to me. Worm leaves a gaping hole...write something to exploit gaping hole. duh.
      You idiot! By writing a post like that in public, you've just disqualified yourself from ever working in the US Patent Office!
  • white hat worms? (Score:5, Interesting)

    by Anonymous Coward on Thursday February 12, 2004 @03:29PM (#8261383)
    I wonder... what are the legalities behind having a worm go around, attack the backdoor created by MyDoom, and cause an alert box containing the infection info to pop-up on the user console? Or, change the person's wallpaper to a similar message so that they dont just blindly hit ok?
    • Re:white hat worms? (Score:3, Interesting)

      by Anonymous Coward
      Unauthorized access is unauthorized access. The authorities would be happy to prosecute a well-meaning good samaritan. Vigilante justice is (unfortunately) illegal in all circumstances.

      And most people in the know would agree that Welchia, which was the worm intended to fix Blaster infections, was actually worse than Blaster in terms of its impact on networks.
  • by knarfling ( 735361 ) on Thursday February 12, 2004 @03:29PM (#8261384) Journal
    In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime

    I am willing to admit that SCO is a crime, but who is claiming that they are organized??

    I think I would be willing to admit that it was spread by a criminal comany.

  • Will anybody read this on March 11th, i.e. 28 days later ?
  • >> it still is a novel way to spread a virus

    I think the word I would have used here is 'obvious'...
  • Laugh with me... (Score:3, Interesting)

    by crimson30 ( 172250 ) on Thursday February 12, 2004 @03:33PM (#8261425) Homepage
    1. Go here: doshelp.com [doshelp.com]
    2. Block applicable ports
    3. Smile when alerts are issued
    • by ron_ivi ( 607351 )
      Are you suggesting people block all those ports because there are known windows trojans that use them?!?

      Sure if you block ports 21, 25, 53, etc you might be safer, but far less functional a system as well. If you go that far, I think you'd be better firewalling off all ports and just opening the ones for the services you _want_ to have exposed.

  • by gokubi ( 413425 ) * on Thursday February 12, 2004 @03:35PM (#8261449) Homepage
    "Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work."

    When a big worm comes out, wouldn't it be possible to write another worm that would utilize the backdoor, get rid of the worm, and then hang about to make reinfection impossible?

    My organization took care of the worm in the first few minutes after it started spreading, but there seem to be a lot of people still out there who aren't protected (if the number of inbound mails my mail server quarantines each day is any indication).

    If someone in a white hat wrote a MyDoom imobilizer worm, and then released it, wouldn't that put a speedy end to MyDoom in the wild?

    • by delirium28 ( 641609 ) on Thursday February 12, 2004 @03:47PM (#8261585) Journal
      This happened with one of the other worms last year (Slammer or something similar, I can't recall right now).

      The problem is that by creating a worm that cleans up the original malware worm, the fix is just as bad as the original virus. You're still using a lot of bandwidth that isn't yours, you're still sending out a program to change someone else's system without their permission, etc.

      On the surface it looks like a good idea, but unfortunately it has a lot of serious drawbacks.

    • And then they'd go to jail.

      I may not lock my windows, but you better believe you're going to get arrested if you walk into my house and try to lock them for me.
  • for the non-dutch (Score:5, Informative)

    by sosume ( 680416 ) on Thursday February 12, 2004 @03:36PM (#8261470) Journal
    or those who cannot get past the registration links:

    Amsterdam - There are signs that the computer virus MyDoom has been brought into circulation by organised crime syndicates. The wormvirus was accompanied yesterday by the evil program 'DeadHat'. Microsoft and software maker SCO have a quarter *billion* dollar in stock to reward the tip that will lead them to its creators.

    According to the British research firm mi2g, deadhat is designed to provide its creator with sustaining, long-term control over a system. This power could be abused to hostage websites.

    It is also possible to abuse the pc in sending spam e-mail, and the program is capable of harvesting passwords and other confidential information. Deadhat is an intelligent software agent, a program .....

    [snip] the really boring part

    According to mi2g, deadhat has encrypted intelligence, waiting to be activated. "This definitely looks like the work of organized crime"

    Meanwhile, Soomjuice has come to surface. Another worm which seems to battle for control of the PC.

    • Re:for the non-dutch (Score:3, Interesting)

      by hotair ( 600117 )
      These follow on worms seem like crude attempts to implement Curious Yellow.

      http://blanu.net/curious_yellow.html

      I'm really surprised that we haven't seen various implementations taking over large numbers of computers.

      My only thought has been that the kind of person who implements Curious Yellow is sufficiently more skilled than the average worm writer that they choose to be subtle and slow. If that is the case, then I expect that the 75,000 is a very small number of machines compared to those that are al
  • by t0qer ( 230538 ) on Thursday February 12, 2004 @03:41PM (#8261520) Homepage Journal
    This could have happened to anyone I guess....

    Last week I get a call from another tech friend, "Hey toqer, I got this customer and they got infected with MyDoom. The NAV wasn't set to exclude the exchange store on the server, and it wiped out their calendaring info, the server needs all its logs rebuilt"

    I asked him for more info. Logs rebuilt? WTF was he talking about? Apparently they had brought in an "Exchange Expert" to fix the problem. The guy spent about 2 days out there and didn't get anything done. After calling them I went out to see exactly what the problem was.

    This office is a lawers office, and they're specialty is wills and trust funds. I was met by a really nice french woman at the door. "Toqer, please follow me and I will show you what the problem was"

    She first showed me their main problem. Whenever they would try and modify the big bosses calendar, outlook would spit out some nonsense about unable to connect to his free/busy information. Second problem I noticed was the entire network was running on NT4.0, and the machines were all pentium1 class PC's. "Good thing this is hourly" I said to myself.

    Looking at the NAV logs, it looked like it had deleted some files from d:\exchngsrv\mtadata (not exactly, this is best recolection) First thing I did was set NAV to exclude those folders. Good, done.. Now it was time to fix the problem itself.

    Now I don't have the exact KB article, but the MS solution was to log in as the affected user. Backup his exchange store to personal folders. Use the exchng32 client to delete the calendar folder, then launch outlook with a /resetfolders switch, and finally re-upload his calendar from the PST. After doing it it worked and they were happy.

    It took me 4 hours to fix it, nice little chunk o change in my pocket. Thanks MyDoom!
    • Apparently they had brought in an "Exchange Expert" to fix the problem. The guy spent about 2 days out there and didn't get anything done.

      ...
      It took me 4 hours to fix it, nice little chunk o change in my pocket. Thanks MyDoom!
      Sounds like the Exchange expert was the smarter person... het gets to bill for 2 days of work! Plus, he didn't fix it so he was probably looking at some more work... until you ruined that for him! ;-)
  • by GillBates0 ( 664202 ) on Thursday February 12, 2004 @03:41PM (#8261524) Homepage Journal
    According to the Symantec Security Response page on the DeadHat (parody of RedHat?) worm spreads through Soulseek disguised as one of the following:

    * Windows2003Keygen.exe
    * mIRC.v6.12.Keygen.exe
    * Norton.All.Products.KeyMkr.exe
    * F-Secure.Antivirus.Keymkr.exe
    * FlashFXP.v2.1.FINAL.Crack.exe
    * SecureCRTPatch.exe
    * TweakXPProKeyGenerator.exe
    * FRUITYLOOPS.SPYWIRE.FIX.EXE
    * ALL.SERIALS.COLLECTION.2003-2004.EXE
    * WinRescue.XP.v1.08.14.exe
    * GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
    * BlindWrite.Suite.v4.5.2.Serial.Generator.exe
    * Serv-U.allversions.keymaker.exe
    * WinZip.exe
    * WinRar.exe
    * WinAmp5.Crack.exe

    This is also a Social Engineering technique similar to the catchy email sent by other recent worms.

    The difference I see is that the filenames are catchier and seem to be targetted towards a more computer savvy audience. Normal Windows users wouldn't need to look for WinRar.exe and the other security software cracks/etc...but then, they're the ones who opened the MyDoom attachments in the first place.

    Get the dumb users with vulnerable PCs through email attachments, and break the more secure computers/users through enticing downloads!

  • New Welchia Worm (Score:5, Interesting)

    by fdiskne1 ( 219834 ) on Thursday February 12, 2004 @03:43PM (#8261546)
    Whereas the new Welchia/Nachi worm [symantec.com] cleans the MyDoom viruses, sets the hosts file back to just 127.0.0.1 localhost, installs a few Microsoft patches, reboots and scans for other MyDoom, MSBlast and Welchia infected machines to clean. It also sets up a web server on the machine serving a webpage with a cryptic message about various Japanese and Korean massacres. It then disables itself on June 1, 2004, or after running 180 days, whichever comes first.

    I don't normally like any Windows virus, but I have a tough time not liking this one.
  • Hmmm.... (Score:5, Funny)

    by fizban ( 58094 ) <fizban@umich.edu> on Thursday February 12, 2004 @03:46PM (#8261577) Homepage
    MyDoom: "Who are you?"

    DoomJuice: "I'm your Grim Reaper."

    MyDoom: "Like hell you are. This is my machine, punk."

    DoomJuice: "Prepare to meet thy maker (wink wink)."

    MyDoom: "Over my dead process."

    DoomJuice: "Look, a little old lady on a Windows 98 machine!"

    MyDoom: (turns) "Who? Where?"

    DoomJuice: "Your Mom." *BONK* "Muhahahaha! Mine, the world is mine!"
  • by jdunlevy ( 187745 ) on Thursday February 12, 2004 @03:47PM (#8261591) Homepage
    Whilst the threat these two worms pose shouldn't be to big, both needing a MyDoom backdoor...

    Maybe not a big threat in the sense that most of us reading this have been taking precautions against viruses like MyDoom all along (or were on Macs or Linux), but there's still a pretty big secondary threat to all of us who use the internet. I'm still seeing a lot of MyDoom-infected computers out there: a quick look at my mail server shows examples -- sometime multiple examples -- of MyDoom sent from dsl hosts in cerfnet.com, telus.net, sprintbbd.net, and ameritech.net just within the last hour). When Doomjuice and Deadhat get on these machines and start sucking up neighboring bandwidth with their DoS or whatever, it's a problem -- even if it's not actually your machine that's infected.

  • Kinda scary (Score:4, Insightful)

    by promethean_spark ( 696560 ) on Thursday February 12, 2004 @04:09PM (#8261849)
    That a worm that digs for personal information goes active right when people start doing their taxes in the US. There are alot of bank account numbers being typed in right now. A worm that hacks taxact to send an account number the virus writer can access instead of the user's would be quite profitable. It'd probably only work for 24 hours or less, but it could steal hundreds of millions in that time.
  • by Pup5 ( 543611 ) on Thursday February 12, 2004 @05:10PM (#8262875)
    It's interesting to watch the development of more advanced viruses. We've created the perfect medium for their development, existence within an artificial world.
    • Food is computing power, which it steals.
    • Prey are vulnerable computers, with computing power unprotected.
    • Predators are virus scanning and eradication software.
    • Reproduction is checked only by environmental factors.
    • Evolution has developed two clear attributes: transport and payload.
    It will be very interesting to watch this area develop, especially considering it's place in society. It's incredible that not only have software companies been given virtual total immunity from the financial impact of their defective products, but that they have convinced the right parties that people who expose their defects are criminals. Truly incredible.
  • by henryhbk ( 645948 ) on Thursday February 12, 2004 @06:45PM (#8264184) Homepage
    So this is similar to the real life virus Hepatitis D, which is slightly damaged and can't infect a host cell unless actively infected with hepatitis B. It has interesting implications for biology that one can look at the spread of dependent pathogens using computer models, by looking at the spread of these piggyback worms.
  • by TechyImmigrant ( 175943 ) on Thursday February 12, 2004 @07:20PM (#8264554) Homepage Journal
    I have owned the deadhat.com domain for a few years now. It is a simple pun on RedHat and the site is of interest to a very limited group of people.

    I am not at all happy that someone has sullied the good name of my website with a worm.

  • by Raptor-DP ( 729253 ) on Thursday February 12, 2004 @08:07PM (#8264981)
    I've heard many people say 'well, if you'd switch to mac or linux you wouldn't have this problem.' If one person switches to another OS, they still have to deal with the crap that gets written for windows, because like it or not since the majority is windows, and if its a virus that generates massive amounts of web traffic we all have to put up with it. We all have to deal with the slow downs and the downed servers, not that microsoft's website being down is that great of a loss. At least untill you're a network admin and need information on something critical and can't get to their knowledge base. And if that wern't enough, there are other results of this. It makes the internet look unsafe, and a place that needs outside control. I personally would hate to see more laws and acts then we already have designed to make the internet more 'secure'. Acts set in place to regulate the internet itself, or even more frightening, acts set in place on software makers. Every single new virus that comes out, is a potential launching point for so called Trusted Computing. Because, like it or not, holding the software company responsible for its customers not updating their sofware is stupid. Not saying that Microsoft shouldn't be held responsible for their excuse for a decent OS, but its not like they aren't at least making patches and fixes for the problems found... slowly, yes ... but at least they are released. And I, while not enjoying Microsoft's software, have to use Windows for certain things, and am glad they are finally taking care of the problems they have. But am completly pissed the hell off at their supposed Trusted Computing, an evil that must be stopped. On another note, has anyone noticed an in crease in DNS downage? I've had a few people tell me about problems, that when eventually looked into, were because of downed DNS servers. Possibly a result of MyDoom and Co.?

Money is the root of all evil, and man needs roots.

Working...