[ISN] MyDoom.B Rapidly Spreading

From: William Knowles (wk@private)
Date: Fri Jan 30 2004 - 05:48:43 PST

Previous message: William Knowles: "[ISN] Microsoft offers reward for MyDoom.B leads"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Tcat Houser <Tcat@private>

http://www.emergencyemail.org/cyber1.asp

This information obtained from... 
The U. S. Department of Homeland Security 
US Computer Emergency Readiness Team 

MyDoom.B Rapidly Spreading

Mydoom.B is a new variant of the Mydoom worm and is about 29,184 
bytes. This variant attempts to perform a Distributed Denial of 
Service (DDoS) attack against Microsoft.com. Details regarding this 
new worm are still emerging, but it has been validated as spreading in 
the wild. Facts about the worm will be further qualified with follow 
up reports following this initial analysis. < 
Once activated, this virus will overwrite the HOSTS file located at 
%WINDIR%\system32\drivers\etc\hosts. 

At least one version of this worm has been observed to write the 
following data to this file 

127.0.0.1       localhost localhost.localdomain local lo
0.0.0.0         0.0.0.0
0.0.0.0         engine.awaps.net awaps.net www.awaps.netad.doubleclick.net
0.0.0.0         spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0.0.0.0         media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
0.0.0.0         ads.fastclick.net banner.fastclick.net banners.fastclick.net
0.0.0.0         www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
0.0.0.0         ftp.f-secure.com securityresponse.symantec.com
0.0.0.0         www.symantec.com symantec.com service1.symantec.com
0.0.0.0         liveupdate.symantec.com update.symantec.com updates.symantec.com
0.0.0.0         support.microsoft.com downloads.microsoft.com
0.0.0.0         download.microsoft.com windowsupdate.microsoft.com
0.0.0.0         office.microsoft.com msdn.microsoft.com go.microsoft.com
0.0.0.0         nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
0.0.0.0         networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
0.0.0.0         www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
0.0.0.0         avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
0.0.0.0         download.mcafee.com mast.mcafee.com www.trendmicro.com
0.0.0.0         www3.ca.com ca.com www.ca.com www.my-etrust.com
0.0.0.0         my-etrust.com ar.atwola.com phx.corporate-ir.net

This will have the effect of making these sites unreachable for any 
application that uses domain names, including most anti-virus update 
programs, electronic mail, HTTP, and FTP.
 
[...]




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.

Previous message: William Knowles: "[ISN] Microsoft offers reward for MyDoom.B leads"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 30 2004 - 09:13:09 PST