MyDoom

[Yrrek]

Read all about it. :) http://www.cnn.com/2004/TECH/internet/01/2...dwed/index.html

[--Pete]

. . . the total intelligence on the Internet is constant, the population is growing.

Hi,

If people wouldn't click on attachments from unknown sources . . .

Never mind, that's not even a hypothetical. That's a counterfactual. :)

--Pete

[Tal]

We've gotten about 100 copies of it at work so far on the email server. It does seem to be slowing down abit now though. :)

[Yrrek]

I haven't gotten anything at my house yet, but my boss just told me that there was a new virus going 'round, so I thought I would give the Lurkers a heads-up. Happy hunting! :)

[Sir_Die_alot]

Bolty is probably still busy deleting these from his inbox to reply. :lol:

[Baajikiil]

Thanks for the heads up. I have received 3 mails containing mydoom since yesterday. Not a very remarkable amount perhaps, but the account I received it on is only known by coworkers at the office. I'm still trying to find out where the hell they are coming from.

(and no, I didn;t open the attachments <_< )

[kandrathe]

My virus filter on our email server has found 50 today as of 4:20pm. There will be the wave of variants as well.

[Tal]

I haven't gotten anything at my house yet, but my boss just told me that there was a new virus going 'round, so I thought I would give the Lurkers a heads-up. Happy hunting! :)

Got 30 more since my last post. Maybe it wasn't slowing down. :lol:

[Kartoffelsalat]

I never seem to get any of these e-mail scams/viruses/worms. One in twelve is a heck of a lot of e-mails, and I guess it'll only get bigger as more and more morons open the attachments.

[Count Duckula]

If people wouldn't click on attachments from unknown sources . . .

Never mind, that's not even a hypothetical.&nbsp; That's a counterfactual. :)

I've gotten seven copies of this thing from Hollins email addresses. The university's official Virus and Hoax Update page hasn't been updated since August 2003. Time for Hollins to blame students for opening attachments, shut down the server, wipe everything clean, and restart. :(

[Selby]

As a former maintainer of a mailserver's anti-virus software, I get email notifications of every virus our users get (from a department I don't even work at anymore). It's been a busy inbox day.

[Bolty]

Bolty is probably still busy deleting these from his inbox to reply.&nbsp; :lol:

One of the nice things about being on so many mailing lists/contacts is that I know there's a new virus out before just about anyone. Monday night I checked my email and had over fifteen emails with the subject "Hi" and an attachment. I said to myself, "must be a new one on the loose," and then on the drive in to work on Tuesday I heard about it on the radio.

I've gotten better with these things now. Thanks to a good virus checker (AVG) and Outlook email rules, it all gets thrown into the trash and doesn't bother me. I haven't bothered to count how many I've gotten, but frankly, I took a bigger hit with SirCam than MyDoom.

-Bolty

[Kevin]

MyDoom was actually contained pretty quickly. Our campus had it blocked from getting to the outside world by 4pm on Monday (we first noticed it about 15 minutes before that). We had all the server side e-mail virus scanners updated and a new patch for the campus install of McAfee pushed out by 6pm. There were sill about 40 infected machines, but we had all those cleaned by noon on Tuesday. For awhile we had the mail servers dropping all zip files until Sybari could get the update to us. But again, outside of the campus network were shut down quick. I imagine that our case wasn't much different from a lot of the organizations out there. Rapid containment of trojans is getting pretty easy. MyDoom only spread so fast because of the coordinated launch times.

Now worms are a bit harder. We are still fighting occasional outbreaks of Welchia, FireDaemon, and gaobot. But those are mainly due to people not using secure admin passwords or doing a rebuild and not getting the DCOM patch put on right away, and since our security team won't remove the network block until the system has been completely reformatted due to the backdoors that most of the worms put in to allow other compromised to be installed, some people get reinfected a couple of times.

[Moldran]

It seems that MyDoom is pretty effective so far. sco.com is down since almost 2 days now ;)

[Bun-Bun]

That's assuming that MyDoom is actually at fault. I wouldn't put it past SCO to take their own site down to generate sympathy. There's some discussion of that over at Groklaw.

[[wcip]Angel]

. . . the total intelligence on the Internet is constant, the population is growing.

Hi,

If people wouldn't click on attachments from unknown sources . . .

Never mind, that's not even a hypothetical.&nbsp; That's a counterfactual. :)

--Pete

Hahahaha!!

Pure gold, and *very* quote-worthy :)


.. but I have to say, I'm a tad jealous. I never get spam and I never get virus-related e-mails. What's wrong? Am I not a viable target? I feel all left out.

[Baajikiil]

.. but I have to say, I'm a tad jealous. I never get spam and I never get virus-related e-mails. What's wrong? Am I not a viable target? I feel all left out.

Just post your email here. Even if I don't get around to sending you some of my extra spam, I'm sure some search routine will turn it up in time and sell it to some spammers.

Good Luck. :P

[Moldran]

That's assuming that MyDoom is actually at fault. I wouldn't put it past SCO to take their own site down to generate sympathy. There's some discussion of that over at Groklaw.

SCO deleted the attacked adress from the DNS.
Considering the massive spread of MyDoom, the attack probably was / would have been succesfull, though.

If the attack actually helps SCO or harms them... very hard to tell.

What is interesting though is that sco.com and www.caldera.com are also unavailable. They shared the same IP with www.sco.com. SCO should have been able to keep these sites available by moving them to otcher machines and assigning them separate IP adresses, shouldn't they ?

[Bob]

Latest incarnation now out!
Extra! Extra! Read all about it.

Update virus scanner NOW if you value the life of your computer!

-Bob

[Bun-Bun]

What is interesting though is that sco.com and www.caldera.com are also unavailable. They shared the same IP with www.sco.com. SCO should have been able to keep these sites available by moving them to otcher machines and assigning them separate IP adresses, shouldn't they ?

As I understand it, MyDoom has the IP hardcoded, so all the sites at that IP would be affected. Also, it looks like the malware only pings www.sco.com once to test connectivity, rather than issuing a flood. I could be wrong on that, though; I'll need to check some other (less partisan) sources.

From Symantec's site:

Checks the system date, and if the date is between February 1, 2004 and February 12, 2004, there is a 25% chance the worm will perform a DoS attack against www.sco.com. The DoS is performed by creating 63 new threads that send GET requests and use a direct connection to port 80. The worm will not mass mail itself if the DoS attack is triggered.


Notes:
The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack.
Due to the way the worm verifies the system date, the DoS will only be executed on 25% of infected computers.
The DoS will only occur when the system date is checked during the initial infection, or if the computer is restarted.
The worm will use local DNS settings to resolve the domain name used in the DoS attack (www.sco.com).

Apparently, MyDoomA will attempt to resolve www.sco.com, so I have no idea why SCO would drop the other domain names unless it's to garner sympathy, or out of ignorance.

Edit: added info from Symantec.