MyDOOM
Lots of misinformation is floating on the net regarding this new worm - I’ve already got 40-50 copies of it stopped by my Procmail Sanitizer script. ETrust EZ Armor came out with a signature update the day of the release, covering my desktops.
What I’ve heard so far:
- The Virus opens up 63 threads and tries to DOS SCO’s website.
- The virus was obviously written by professional spammers, and it turns infected PCs into SPAM senders
- The virus was obviously written by open source zealots and freedom-loving Linux freaks.
- The virus will re-write your BIOS with code that continues to
send the virus out even after your PC hard drive has been cleaned. - I’ve heard that the SCO bit is a red herring, and that the virus only pings the SCO site to check for an internet connection.
Here’s information I found on the
When I disassembled the virus I found new information that haven’t came up
anywhere else to this time.
Here is the information that is beleived…
1. use restricted usernames to send email to and from
2. encode strings with ROT13 method
3. create a mutex called ‘SwebSipcSmtxSO’ when ran
4. transform in taskmon.exe and
4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“TaskMon” = %sysdir%\taskmon.exe
4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“TaskMon” = %sysdir%\taskmon.exe
5. add %sysdir%\shimgapi.dll
open ports 3127/tcp - 3198/tcp
6. stops spreading febuary 12
7. spreads through KaZaA and Electronic Mail System
8. and more very technical fact i will not describe here
What I found…
Even if the virus (Mydoom) is programmed in assembler and compiled
using masm it is made to look like it has been programmed in C++ when
disassembling. It is a fact that many more information are hidden and
undiscovered to this date such as the fact that it will stop spreading on
febuary 12 which is not true. Mydoom will pass in a new phase upon febuary
12 and it will be very much more serious as it will be updated and will
mutate in Mydoom.C. The backdoor (shimgapi.dll) is open a port but this is
used to obscur the real intention of Mydoom.B as well as Outlook express.
It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will open
port tcp when Mydoom will be executed AFTER febuary 12.
It is a conclusion that the viral professionals that published diagnosis
of the Mydoom.A virus are trying to hide something or are very
incompetent.
Also there are no way to fix the virus that is injected in the BIOS after
it has been infected except from flashing it AFTER disinfecting the
workstation that was infected.
This virus has brought up a couple of shortcomings in the anti-virus infrastructure. Despite the fact that the virus spoofs the from: address, several anti-virus products send an email to the (forged) from: address. Attrition.org has a great rant comparing some of the emails. Some include so little information as to be useless, others include marketing information, turning a well-intentioned virus advisory into anti-virus product SPAM.
So, be careful out there - and don’t open any attachments you weren’t expecting. Or use Linux, FreeBSD, Mac, or any other alternative operating systems out there. 
Possibly Related Posts:
SwitchProxy update - google posterity postLinked networks
Settling in with my data
No Comments Yet