The worm has a limited lifespan: it is coded to exit immediately when run after 1st of March at UTC. The worm will create a mutex with the name "sync-v1.
Once run it will look for the previous variant, Mydoom. A, and will terminate its process and delete "shimgapi.
The worm has the ability of sending itself to already infected computers. It will do so by first finding them through a network scan, where IP addresses will be randomly forged skipping some invalid ranges.
Then a connection attempt is made to port opened by previous variant's backdoor , if the machine is found infected then the worm transfers itself and will be executed immediately, thereby updating the infected computers to the new version without the need for the user to receive the worm through email. Additionally, the worm will request the infected computer's hostname through gethostbyname , resolve its IP and scan for other infected computers in the same range.
The DDoS attack launches 8 threads against www. The other DDoS attack launches 14 threads against www. The hosts file in the infected machines will be modified so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 0. The file is encrypted within the worms code and contain the following:.
Which will make the site inaccessible. The 3rd of February the entry will be removed so the attack can be performed, which will probably cause some difficulties reaching it, if the DDoS is successful. The modifications in the hosts file are probably targeted so that customers of the most widespread Anti-Virus products can't download new updates to disinfect the worm.
The email messages sent by the worm have the following characteristics: Subjects can be any of the following:. As with older Mydoom variants, Mydoom. B collects addresses from Windows' Address Book and from files with extension:. Once an address is chosen from the list of harvested addresses, the worm will send an email to addresses in the same domain but to accounts like:.
Javascript is disabled in your web browser For full functionality of this site it is necessary to enable JavaScript. Firewall , Zero Trust , Wireless , Switch. Email protection.
Download our free Virus Removal Tool - Find and remove threats your antivirus missed. All rights reserved. Products Products for Business For Business. Security Operations. Products for Home For Home. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux.
This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs. Initial analysis of Mydoom suggested that it was a variant of the Mimail worm—hence the alternate name Mimail. R —prompting speculation that the same people were responsible for both worms. Later analyses were less conclusive as to the link between the two worms. Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm.
Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate. Mydoom is primarily transmitted via e-mail, appearing as a transmission error, with subject lines including "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed" in different languages, including English and French.
The mail contains an attachment that, if executed, resends the worm to e-mail addresses found in local files such as a user's address book. Some early reports claimed the worm avoids all.
A second version, Mydoom. B, as well as carrying the original payloads, also targets the Microsoft website and blocks access to Microsoft sites and popular online antivirus sites by modifying the hosts file, thus blocking virus removal tools or updates to antivirus software.
0コメント