MyDoom.A in the wild

This thing is spreading like wildfire. Which is sad, because it's one of the worst attempts at social engineering ever. We should go beat the people who actually ran these attachments.

It has the potential to be nasty. There is some “innocent looking“ stuff it does with notepad, which might lead the user to believe that it's harmless. It copies itself to taskmon.exe in your system directory, opens a backdoor on TCP port 3217, launches a DDoS against sco.com, and harvests e-mails from files (such as HTML, TXT and PHP). It also attempts to propogate not only over e-mail but over KaZaa (see? RIAA was right - downloading music is bad for you :).

In my mind, the worst thing about it is that it spoofs e-mail. So someone's probably out there getting e-mails from me, cursing me out that I've sent them a virus. But it wasn't me, it was someone who had me in their contacts and was infected.

I hope I don't have to change my e-mail again...  :)

Published Tuesday, January 27, 2004 9:22 AM by Tim Marman
Filed under: , ,

Comments

# re: MyDoom.A

Tuesday, January 27, 2004 9:53 AM by denny
Hmmm.....

one of the aspects of the SMTP spec is it's lack of an end-to-end "Audit trail" so that email can not be so easaly forged. some work is happening to fix this but it will take time.

BTW this is not the first virus/worm/trojan to do this example SoBig has the same kind of email forgery in it's behaviour.

I'd say keep your email... chaging will not stop it.
and good antivirus & email systems will trap it and know it's fake.

some folks don't get it (the forgery bit) and react to it.... and someone has to educate them...
I had a lady with inbound sobig that she was mistaken on this and was using an auto-respnder to inbound email telling me that she had a new email address.... :-) when I finaly explained it to her she was embarased.... she had been "spaming" hundereds / thousands of email addresses with her personal contact info (yes her name and phone number in her reply to a forged email!!!!)

and so it goes....

# re: MyDoom.A in the wild

Tuesday, January 27, 2004 10:04 AM by Doug Reilly
I am getting 25 per hour, pretty consistantly. Amazing.

# re: MyDoom.A in the wild

Tuesday, January 27, 2004 10:15 AM by G. Andrew Duthie
Agreed on the beatings. But I don't think we should stop there. At this point, anyone with more than 6 months experience using a computer who opens one of these attachments should have their computer privileges taken away for 5 years, or until email is idiot-proofed, whichever is longer.

This stuff is really inexcusable.

Nice CSS layout, BTW.

# re: MyDoom.A in the wild

Tuesday, January 27, 2004 10:24 AM by Matt Hawley
Just remember that the DoS attacks are supposed to start Feb 1 - 12 (I believe its the 12). I wonder if this is like the CodeRed worm where its pointing to a specific IP, or if it is actually doing reverse DNS lookup to find the IP of SCO at the time.

Also, don't forget that the darn thing opens up like 30 ports, so its possible a hacker has gotten into your comp if you're not behind a firewall or router that blocks those requests.

# re: MyDoom.A in the wild

Tuesday, January 27, 2004 12:55 PM by Tim Marman
GAD - thanks.

I actually like that idea a lot. If you are reckless with a car, you lose your license. Maybe you should need a license to use a computer too. And when you're dumb about things, revoke it.

Even my mom, who refused to even look at a computer less than a month ago, knows better than to open these things!

Leave a Comment

(required) 
(required) 
(optional)
(required)