Fwd: [ISN] MyDoom.B Rapidly Spreading

["H. Morrow Long" <morrow.long () YALE EDU>]

In case you haven't seen this already:

Begin forwarded message:

> From: William Knowles <wk () c4i org>
> Date: January 30, 2004 8:48:43 AM EST
> To: isn () attrition org
> Subject: [ISN] MyDoom.B Rapidly Spreading
> Reply-To: William Knowles <wk () c4i org>
>
> Forwarded from: Tcat Houser <Tcat () tcat net>
>
> http://www.emergencyemail.org/cyber1.asp
>
> This information obtained from...
> The U. S. Department of Homeland Security
> US Computer Emergency Readiness Team
>
> MyDoom.B Rapidly Spreading
>
> Mydoom.B is a new variant of the Mydoom worm and is about 29,184
> bytes. This variant attempts to perform a Distributed Denial of
> Service (DDoS) attack against Microsoft.com. Details regarding this
> new worm are still emerging, but it has been validated as spreading in
> the wild. Facts about the worm will be further qualified with follow
> up reports following this initial analysis. <
> Once activated, this virus will overwrite the HOSTS file located at
> %WINDIR%\system32\drivers\etc\hosts.
>
> At least one version of this worm has been observed to write the
> following data to this file
>
> 127.0.0.1       localhost localhost.localdomain local lo
> 0.0.0.0         0.0.0.0
> 0.0.0.0         engine.awaps.net awaps.net www.awaps.netad.doubleclick.net
> 0.0.0.0         spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
> 0.0.0.0         media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
> 0.0.0.0         ads.fastclick.net banner.fastclick.net banners.fastclick.net
> 0.0.0.0         www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
> 0.0.0.0         ftp.f-secure.com securityresponse.symantec.com
> 0.0.0.0         www.symantec.com symantec.com service1.symantec.com
> 0.0.0.0         liveupdate.symantec.com update.symantec.com updates.symantec.com
> 0.0.0.0         support.microsoft.com downloads.microsoft.com
> 0.0.0.0         download.microsoft.com windowsupdate.microsoft.com
> 0.0.0.0         office.microsoft.com msdn.microsoft.com go.microsoft.com
> 0.0.0.0         nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
> 0.0.0.0         networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
> 0.0.0.0         www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
> 0.0.0.0         avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
> 0.0.0.0         download.mcafee.com mast.mcafee.com www.trendmicro.com
> 0.0.0.0         www3.ca.com ca.com www.ca.com www.my-etrust.com
> 0.0.0.0         my-etrust.com ar.atwola.com phx.corporate-ir.net
>
> This will have the effect of making these sites unreachable for any
> application that uses domain names, including most anti-virus update
> programs, electronic mail, HTTP, and FTP.
>
> [...]
>
>
>
>
> -
> ISN is currently hosted by Attrition.org
>
> To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
> in the BODY of the mail.

Attachment: smime.p7s
Description: