Information Security News mailing list archives
MyDoom.B Rapidly Spreading
From: William Knowles <wk () c4i org>
Date: Fri, 30 Jan 2004 07:48:43 -0600 (CST)
Forwarded from: Tcat Houser <Tcat () tcat net> http://www.emergencyemail.org/cyber1.asp This information obtained from... The U. S. Department of Homeland Security US Computer Emergency Readiness Team MyDoom.B Rapidly Spreading Mydoom.B is a new variant of the Mydoom worm and is about 29,184 bytes. This variant attempts to perform a Distributed Denial of Service (DDoS) attack against Microsoft.com. Details regarding this new worm are still emerging, but it has been validated as spreading in the wild. Facts about the worm will be further qualified with follow up reports following this initial analysis. < Once activated, this virus will overwrite the HOSTS file located at %WINDIR%\system32\drivers\etc\hosts. At least one version of this worm has been observed to write the following data to this file 127.0.0.1 localhost localhost.localdomain local lo 0.0.0.0 0.0.0.0 0.0.0.0 engine.awaps.net awaps.net www.awaps.netad.doubleclick.net 0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com 0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net 0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net 0.0.0.0 www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com 0.0.0.0 ftp.f-secure.com securityresponse.symantec.com 0.0.0.0 www.symantec.com symantec.com service1.symantec.com 0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com 0.0.0.0 support.microsoft.com downloads.microsoft.com 0.0.0.0 download.microsoft.com windowsupdate.microsoft.com 0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com 0.0.0.0 nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com 0.0.0.0 networkassociates.com avp.ru www.avp.ru www.kaspersky.ru 0.0.0.0 www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com 0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com 0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com 0.0.0.0 www3.ca.com ca.com www.ca.com www.my-etrust.com 0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net This will have the effect of making these sites unreachable for any application that uses domain names, including most anti-virus update programs, electronic mail, HTTP, and FTP. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- MyDoom.B Rapidly Spreading William Knowles (Jan 30)