Mailing List
Home
Linux - General Red Hat Linux discussion list
Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)
Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)
Installation - Getting started with Red Hat Linux
Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)
Red Hat Linux 8.0 - Discussion of Red Hat Linux 8.0 (Psyche)
Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)
Red Hat Linux 7.1 - Discussion of Red Hat Linux 7.1 (Seawolf)
Apache Web Server
Oracle database, Microsoft SQL server ...
Subjects
application/x mplayer2 plugin
RPM error: db4 error(16) from dbenv >remove: Device or resource
   busy
Command stream end of file while reading
X Windows problem (xauth)
Upgrading openoffice 1 1 rpm
FTP: connection refused
FTP: connection refused
mount: /dev/cdrom: is not a valid block device
Dell Precision 650, RedHat 9, no sound
how to trace the cause resulting in the crash of bind server
Virus on the list
UNINSTALL RPM MYSQL
usb pen drives: mounting as a user
broadcom network interface
make mrproper
sendmail configuration on redhat
Couldn 't open PID file /var/run/named/named pid Permission denied
Promise 378 controller
kernel 2 6 and /dev/sound/mixer not found
Problem using up2date
mrtg step by step howto/configuration for a newbie?
Compiling and Installing Kernel 2 6
Can 't locate module ppp0, can 't locate module ppp compress 21
HOW I CAN MAKE BOOTABLE FLOPPY DISKET
Lotus Notes under Wine
/etc/security/limits conf question
Intel E/1000 driver
Command stream end of file while reading
rpm database corrupt
qla2300 modules
 
Search:  
Power your search with and, or, +, -, or "some phrase" operators.
MYDOOM WORM SYMPTOMS & REMOVAL INSTRUCTIONS

MYDOOM WORM SYMPTOMS & REMOVAL INSTRUCTIONS

2004-01-30       - By SR Khaleeq

 Back

This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:

contains its own SMTP engine to construct outgoing messages
contains a backdoor component (see below)
contains a Denial of Service payload

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Subject: (Varies, such as)

Error ,Status ,Server Report ,Mail Transaction Failed ,Mail Delivery System ,hello ,hi

Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

examples (common names, but can be random) ,doc.bat ,document.zip ,message.zip ,readme.zip ,text.pif
hello.cmd ,body.scr ,test.htm.pif ,data.txt.exe ,file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif

Symptoms
Upon executing the virus, Notepad is opened, filled with nonsense characters.
Existence of the files and registry entry listed above

Method Of Infection
This worm tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab ,adb ,tbb ,dbx ,asp ,php ,sht ,htm ,txt ,pl

The worm avoids certain address, those using the following strings:

.gov ,mil ,abuse ,acketst ,arin. ,avp ,berkeley ,borlan ,bsd
example ,fido ,foo. ,fsf. ,gnu ,google ,gov. ,hotmail ,iana ibm.com
icrosof ,ietf ,inpris ,isc.o ,isi.e ,kernel ,linux ,math ,mit.e ,mozilla
msn. ,mydomai ,nodomai ,panda ,pgp ,,rfc-ed ,ripe. ,ruslis ,secur
sendmail ,sopho ,syma ,tanford.e ,unix ,usenet ,utgers.ed

Removal Instructions:

If you think that you may be infected with Mydoom, and are unsure how to check your system, you may http://vil.nai.com/vil/stinger to scan your system and remove the virus if present
Details can be viewed at http://vil.nai.com/vil/content/v_100983.htm


Regards,

Shoaib Rehman Khaleeq

Systems Consultant
Ants Consulting Pakistan
shoaib.rehman@(protected)
+92-300-2202802

-- ---- ---- ---- ---- ---- -----
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
<DIV >
<TABLE border=0 cellPadding=3 cellSpacing=1 width= "100% " >
<TBODY >
<TR align=left vAlign=top >
<TD class=tableHeaderBackground > </TD > </TR >
<TR align=left vAlign=top >
<TD class=tableDataBackground > <FONT face= "Arial, Helvetica, sans-serif " size=2 >
<P >This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics: </P >
<UL >
<LI >contains its own SMTP engine to construct outgoing messages
<LI >contains a backdoor component (see below)
<LI >contains a Denial of Service payload </LI > </UL >
<P >The virus arrives in an email message as follows: </P >
<P > <STRONG >From: </STRONG >(Spoofed email sender) <BR > <BR > <STRONG >Subject: </STRONG >(Varies, such as) </P >
<UL >
<LI >Error ,Status ,Server Report ,Mail Transaction Failed ,Mail Delivery System ,hello ,hi </LI > </UL >
<P > <STRONG >Body:  </STRONG > (Varies, such as)  </P >
<UL >
<LI >The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
<LI >The message contains Unicode characters and has been sent as a binary attachment.
<LI >Mail transaction failed. Partial message is available. </LI > </UL >
<P > <STRONG >Attachment: </STRONG >(varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) </P >
<UL >
<LI > <EM >examples (common names, but can be random) </EM > ,doc.bat ,document.zip ,message.zip ,readme.zip ,text.pif
<LI >hello.cmd ,body.scr ,test.htm.pif ,data.txt.exe ,file.scr </LI > </UL >
<P >In the case of two file extensions, multiple spaces may be inserted as well, for example: </P >
<UL >
<LI >document.htm  (many spaces)  .pif </LI > </UL > </FONT > </TD > </TR > </TBODY > </TABLE > </DIV >
<TABLE border=0 cellPadding=3 cellSpacing=1 width= "100% " >
<TBODY >
<TR align=left vAlign=top >
<TD class=tableHeaderBackground > <FONT face= "Arial, Helvetica, sans-serif " size=2 > <B > <A name=Symptoms > </A >Symptoms </A > </B > </FONT > </TD > </TR >
<TR align=left vAlign=top >
<TD class=tableDataBackground > <FONT face= "Arial, Helvetica, sans-serif " size=2 >
<UL >
<LI >Upon executing the virus, Notepad is opened, filled with nonsense characters. </LI >
<LI >Existence of the files and registry entry listed above </LI > </UL >
<P >
<TABLE border=0 cellPadding=3 cellSpacing=1 width= "100% " >
<TBODY >
<TR align=left vAlign=top >
<TD class=tableHeaderBackground > <FONT face= "Arial, Helvetica, sans-serif " size=2 > <B > <A name=MethodOfInfection > </A >Method Of Infection </A > </B > </FONT > </TD > </TR >
<TR align=left vAlign=top >
<TD class=tableDataBackground > <FONT face= "Arial, Helvetica, sans-serif " size=2 >
<P >This worm tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present. </P >
<P >The mailing component harvests address from the local system.  Files with the following extensions are targeted: </P >
<UL >
<LI >wab ,adb ,tbb ,dbx ,asp ,php ,sht ,htm ,txt ,pl </LI > </UL >
<P >The worm avoids certain address, those using the following strings: </P >
<UL >
<LI >.gov ,mil ,abuse ,acketst ,arin. ,avp ,berkeley ,borlan ,bsd
<LI >example ,fido ,foo. ,fsf. ,gnu ,google ,gov. ,hotmail ,iana ibm.com
<LI >icrosof ,ietf ,inpris ,isc.o ,isi.e ,kernel ,linux ,math ,mit.e ,mozilla
<LI >msn. ,mydomai ,nodomai ,panda ,pgp ,,rfc-ed ,ripe. ,ruslis ,secur
<LI >sendmail ,sopho ,syma ,tanford.e ,unix ,usenet ,utgers.ed </LI > </UL >
<P > <STRONG >Removal Instructions: </STRONG > </P > </FONT > </TD > </TR > </TBODY > </TABLE > </P > </FONT > <FONT face=Arial size=2 >If you think that you may be infected with Mydoom, and are unsure how to check your system, you may <A href= " http://vil.nai.com/vil/stinger " > http://vil.nai.com/vil/stinger </A >  </FONT > <FONT face=Arial size=2 >to scan your system and remove the virus if present </FONT > </TD > </TR > </TBODY > </TABLE >
<P >Details can be viewed at <A href= " http://vil.nai.com/vil/content/v_100983.htm " > http://vil.nai.com/vil/content/v_100983.htm </A > </P > <BR > <BR >Regards, <br > <br >Shoaib Rehman Khaleeq <br > <br >Systems Consultant <br >Ants Consulting Pakistan <br >shoaib.rehman@(protected) <br >+92-300-2202802 <p > <hr SIZE=1 >
Do you Yahoo!? <br >
Yahoo! SiteBuilder - Free web site building tool. <a href= " http://us.rd.yahoo.com/evt=21608/ * http://webhosting.yahoo.com/ps/sb/ " > <b >Try it! </b > </a >