Video | Business Headlines | Internet | Science | Scientific Ethics | Technology | Search

 

Symantec has further analysed the Mydoom.M threat

Wed, 28 July 2004

Symantec has further analysed the Mydoom.M threat and has discovered some previously undocumented functionality. This functionality includes a mechanism that is used to maintain a list of all known infected systems, and permits the worm's author to upload updated binaries while prohibiting others from rapidly taking over the infected systems. This mechanism permits the author to rapidly and automatically update all Mydoom.M-infected systems with new arbitrary malicious code with little risk of its network being hijacked by rival worm authors.

Symantec Security experts have also re-examined W32.Mydoom.L@mm and found it also contains a system designed to maintain a list of all known infected systems, and to permit its author to upload update executables, while making it difficult for others to takeover the infected network.

"Due to the recent release and widespread infection rate of the Mydoom.M worm, we believed that computers infected with Mydoom.L may have been used as a form of peer-to-peer seed network, explaining why Mydoom.M became a high-profile worm so rapidly," said Alfred Huger, senior director, Symantec Security Response. "This process would simply require the author to upload Mydoom.M to one infected host and have it read the stored IP list and upload itself to other systems."

The Symantec Security Response team is currently investigating the functionality available within these worms. Symantec experts believe that the malicious code writer is using these threats to inject other new malicious code into the wild. One such malicious code is W32.Zindos.A.

This new threat discovered by Symantec Security Response this morning is exploiting the backdoor left by Mydoom.M. The new worm, created by the Mydoom virus writer, attempts to perform a DoS attack against the domain, Microsoft.com. W32.Zindos.A was discovered this morning and has been rated as a Category 2 threat. For detailed information on this latest threat, visit http://securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html.

Symantec experts believe that the author of these threats is using W32.Zindos.A to update the Mydoom variants. Through Symantec's DeepSight early warning solutions, which include a network of 20,000 sensors monitoring IDS and firewall activity around the globe, Symantec has detected a spike in activity -- three degrees from normal deviation targeting TCP port 1034 and 1042, which are associated with W32.Mydoom.M@mm and W32.Mydoom.L@mm respectively.

Symantec Security Response recommends users to update the AV definitions, block access to TCP port 1034 and 1042 on all systems and deploy attachment filters on all e-mail gateway systems. Additionally, do not open or execute files from unknown sources. Using a firewall or IDS may block or detect back door server communications with the remote client application

ENDS


© Scoop Media

 
 
 
Business Headlines | Sci-Tech Headlines

 

Media Mega Merger: StuffMe Hearing Argues Over Moveable Feast

New Zealand's two largest news publishers are appealing against the Commerce Commission's rejection of the proposal to merge their operations. More>>

Elsewhere:


Approval: Northern Corridor Decision Released

The approval gives the green light to construction of the last link of Auckland’s Western Ring Route, providing an alternative route from South Auckland to the North Shore. More>>

ALSO:


Crown Accounts: $4.1 Billion Surplus

The New Zealand Government has achieved its third fiscal surplus in a row with the Crown accounts for the year ended 30 June 2017 showing an OBEGAL surplus of $4.1 billion, $2.2 billion stronger than last year, Finance Minister Steven Joyce says. More>>

ALSO:

Mycoplasma Bovis: One New Property Tests Positive

The newly identified property... was already under a Restricted Place notice under the Biosecurity Act. More>>

Accounting Scandal: Suspension Of Fuji Xerox From All-Of-Government Contract

General Manager of New Zealand Government Procurement John Ivil says, “FXNZ has been formally suspended from the Print Technology and Associated Services (PTAS) contract and terminated from the Office Supplies contract.” More>>