Symantec has further analysed the Mydoom.M threat
Wed, 28 July 2004
Symantec has further analysed the Mydoom.M threat and has discovered some previously undocumented functionality. This functionality includes a mechanism that is used to maintain a list of all known infected systems, and permits the worm's author to upload updated binaries while prohibiting others from rapidly taking over the infected systems. This mechanism permits the author to rapidly and automatically update all Mydoom.M-infected systems with new arbitrary malicious code with little risk of its network being hijacked by rival worm authors.
Symantec Security experts have also re-examined W32.Mydoom.L@mm and found it also contains a system designed to maintain a list of all known infected systems, and to permit its author to upload update executables, while making it difficult for others to takeover the infected network.
"Due to the recent release and widespread infection rate of the Mydoom.M worm, we believed that computers infected with Mydoom.L may have been used as a form of peer-to-peer seed network, explaining why Mydoom.M became a high-profile worm so rapidly," said Alfred Huger, senior director, Symantec Security Response. "This process would simply require the author to upload Mydoom.M to one infected host and have it read the stored IP list and upload itself to other systems."
The Symantec Security Response team is currently investigating the functionality available within these worms. Symantec experts believe that the malicious code writer is using these threats to inject other new malicious code into the wild. One such malicious code is W32.Zindos.A.
This new threat discovered by Symantec Security Response this morning is exploiting the backdoor left by Mydoom.M. The new worm, created by the Mydoom virus writer, attempts to perform a DoS attack against the domain, Microsoft.com. W32.Zindos.A was discovered this morning and has been rated as a Category 2 threat. For detailed information on this latest threat, visit http://securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html.
Symantec experts believe that the author of these threats is using W32.Zindos.A to update the Mydoom variants. Through Symantec's DeepSight early warning solutions, which include a network of 20,000 sensors monitoring IDS and firewall activity around the globe, Symantec has detected a spike in activity -- three degrees from normal deviation targeting TCP port 1034 and 1042, which are associated with W32.Mydoom.M@mm and W32.Mydoom.L@mm respectively.
Symantec Security Response recommends users to update the AV definitions, block access to TCP port 1034 and 1042 on all systems and deploy attachment filters on all e-mail gateway systems. Additionally, do not open or execute files from unknown sources. Using a firewall or IDS may block or detect back door server communications with the remote client application