Dangerous Mydoom [virus] Variant Appears

techweb.com via CRN ^ | 01/28/2004 | Gregg Keizer

[BigSkyFreeper]

The first copycat of the widespread Mydoom worm appeared Wednesday on the Internet, and some analysts are warning it may be even more dangerous than the original.

Dubbed Mydoom.b by most security firms, the variant strongly resembles the Mydoom, now tagged as Mydoom.a, but adds some new disturbing traits.

Some of the subject lines used by Mydoom.b depart from the original, including new headings of 'Delivery error' and 'Returned mail,' both which try to trick users into believing that the message is legit and can safely be opened.

Another change in Mydoom.b is the addition of microsoft.com as a target for a February 3 denial-of-service (DoS) attack. Mydoom.a specified sco.com as the target for a February 1 DoS assault by compromised machines; Mydoom.b has both sites and the associated dates embedded in its code.

Most notable, and most disturbing, however, is that Mydoom.b prevents infected users from accessing anti-virus and other computer support sites.

The worm modifies the host file on the compromised system so that 65 Web sites resolve to the IP address of 0.0.0.0, making them inaccessible.

The list of affected sites include major names in the anti-virus and security trade, including Symantec, McAfee, F-Secure, Sophos, Network Associates, and Kaspersky Labs. Microsoft's Office Update and Windows Update, as well as other Microsoft download locations, are also on the list.

That makes it much more dangerous than its predecessor, said Ken Dunham, the malicious code director for security firm iDefense.

"This new variant is worse than Mydoom.a," he said, because the lack of access to security and anti-virus sites will make it impossible for many users, particularly consumers, to obtain updates to protect or clean their systems. "This will result in a longer lifespan for Mydoom.b," he said.

Dunham, along with other security experts, suspect that Mydoom.b is being launched from computers already infected with the original Mydoom.a. "If this is the case," said Dunham, "Mydoom.b will likely become very prevalent in just a few hours."

Moscow-based Kaspersky Labs agreed. "Our analysts believe that Mydoom.b is probably using machines infected by the original Mydoom," said Kaspersky spokesman Denis Zenkin in an e-mailed statement. "The computer community may be facing a much more serious outbreak than the one caused by Mydoom.a yesterday."

Anti-virus firms are racing to combat Mydoom.b with updated virus definition files, but not all companies have yet posted alerts for the variant, nor updates that can defend and disinfect.

[Texaggie79]

It pays my bills....

[George W. Bush]

Surely there is a conservative hacker out there that can create a mydoom.rat virus that will nullify those wacko dem sites?

Quite honestly, I can't see that would serve a useful purpose. We need to let them talk about their feelings. Far better they do it in their little ghettos than to force them into other, more public venues where they might have more influence.

Besides, the script kiddies are young, high school and college age, and are much more Greenies or anarchist types instead of Dims.

[BigSkyFreeper]

I forget what folder it's in, but the Windows file is lmhosts.sam.

[BigSkyFreeper]

Not everyone on here is under 30.

Pretty darn close here. I'm 33, and the computer courses I took in High School were BASIC programming on TRS-80's.

[BigSkyFreeper]

Most hackers aren't old enough to vote.

[I_love_weather]

Isn't there a web site to get updates on all of this stuff...to protect your computer

[Cagey]

I'm 33, and the computer courses I took in High School were BASIC programming on TRS-80's.

But, he was talking about Windows. How long has Windows been around? Windows didn't become popular until Windows 3.0 was released and that was in 1990.

[George W. Bush]

Windows has a similiar "stub" file like this too. You'll have to dig around for it, but you can find it under the TCP/IP - DNS settings. Look for something like "hosts" or "lmhosts." Should be a text file with maybe 3 entries in it.

Unless you use it to add anti-spam entries to block pop-ups and such. For instance, my own is 62KB. Here's a few entries from it where I effectively zot any traffic from these sites.

127.0.0.1 ads.web.aol.com
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com

So, normally a given webpage may pop up another window. But nothing else can load into that popup window if it is from one of these sites. And so each popup window can't popup even more popup ads. You cut the chain for all subsequent popups by blocking them from downloading their HTML.

These kinds of lists can be downloaded and used on any Windows system from many sites.

You can find programs to manage HOSTS files and links to get current listings to install as your own HOSTS file to block popups at this site:

Hosts Files Administration

[BobS]

I once worked on a girlfriend's computer that had AOHell installed. New HD, the whole bit. Many driver conflicts. 9 hours of work. Our relationship ended weeks later.

Now I'm a different man. If a woman asks me to fix her computer and she has AOHell installed, she makes a deposit consisting of a dinner and a full night in bed before I touch anything! LOL!

[wimpycat]

I took BASIC programming on an Apple IIC computer in highschool.

When I was a senior in college, I took a course on computers and everyone by then was talking about this new thing called "Windows". I was totally clueless.

Then a few years after that, I took a night class at the local community college that really set me up--Intro to Windows 3.11 That was in late 1994. Of course, by then, everybody was talking about this new thing called "Windows '95".

[George W. Bush]

I forget what folder it's in, but the Windows file is lmhosts.sam

Unfortunately the name varies for different releases of Windows.

[eccl1212]

you cannot reap, when you did not sow,

  you cannot teach what you do not know,

   you cannot lead where you will not go.

---

Sorry to break it to you "W," but teachers are too busy instructing kids on the finer details of fisting, condom use, grade of crack, "ethnicity as victimhood" and the like, to bother with basic computer architecture.

And yes, editing a simple text file, or even searching for *hosts*, is too hard for a teacher, who has THE RENOWNED "no I cannot teach tech stuff because its too hard for my minority kids" ATTITUDE. Truth is, most teachers are too lazy to edit their own hosts files, write a simple *pif file, or even find and edit the old "autoexec" file.

Point and click applications they love.

Architecture and basic requirements of computing... makes their eyes glaze over. And this attitude is NOT just the result of Micrsoft, point and click... Mac folks want a "do nothing but click dialogue box options" too. Most MS and Mac users go into panic mode, if you bring up a terminal or a dos prompt command line...

Nobody cares to teach these kids something useful like computer architecture, and basic programming language of any kind. I like point and click, but I still look at punchcards for fun now and then. I remember doing that.

Good luck on "no child left behind" Mr. President.

"Buy that kid a condom, stat!" is the current state of the teaching art. One further question "How we gonna go to Mars, with a crop of condom experts?"

[George W. Bush]

Sorry. Lost my head for a moment.

[rwfromkansas]

I know I have one. What it does and how to alter it, now that is another story. But, I could just run to google and find out.

But, if I get infected, which I shouldn't since I only use online mail making it harder for attachments to just open(though an e-mail list appears to be infected with this thing or something similar since I am getting like 30 e-mails a day from MEMBERS of the list screaming aksing what is going on, which is not supposed to happen; I am only supposed to get a weekly newsletter). Also, I have multiple virus and trojan programs running.

I do not want what happened to my mom's computer happening to mine, especially since I am too lazy to ever back up any data.

[yooper]

The best thing to do is what I did this morning; disable your modem. Sure, its an inconvenience, but now I'm safe.

[DefCon]

"...doc file simply runs a pif file ..."
- - -
Well, check and see if you now have this file

shimgapi.dll

hiding in your system32 directory!

Here's Norton's Advice

[BigSkyFreeper]

Hah! Yeah, it seemed like I was always one OS behind everyone else in the world. I was using Windows 3.11 til about 2 years after Windows 95 came out. I finally upgraded about a year before Windows 98 came out. I upgraded to Windows 98 by buying a new computer (PIII 500), which I still use. Bought Win2K Pro for the PIII 500 and invested in a new laptop with Windows XP Pro on it. As of today, those are the two operating systems and PC's that I use.

[Smogger]

Dangerous?

Explosives are Dangerous...
Terrorist are Dangerous...
Driving under the influence is Dangerous..

Viruses are just annoying and disruptive.

I dunno about Dangerous.

[Jaxter]

What really honks me off is people that administer antivirus servers that have them send out a message saying something to the effect of:You sent a virus to us and you need to clean your PC and blah, blah, blah!
This is worthless because 9 out of 10 viruses (including Mydoom) spoof both th TO and the FROM addresses. This just adds to the problem.

[rwfromkansas]

What program did you use?

I ended up having to just stop and go nuts not too long ago running multiple online virus scans (since I think they are less likely to be tricked by viruses like they like to do to regular scanners), my Norton, Adaware, and Swat-it. It is running like new. I found several pretty harmless worms that only try to change your home page. I will have to run spybot again to search for spy programs. I don't really have a firewall though, only the XP firewall. I think the college probably has its own firewall anyway.