PDA

Visualizza versione completa : W32.Mydoom.O - Allerta 4 - Update


Giorgius
03-08-2004, 22.04.52
http://vil.nai.com/images/127173-a.jpg


Aliases:
W32/Mydoom.O.worm (Panda Software), W32/Mydoom.p@MM (McAfee), Win32.Mydoom.P (Computer Associates)

Effetti
This new variant of W32/Mydoom is packed with ASPack.
The dropped SERVICES.EXE is the same binary W32/Mydoom.o@MM uses. Detection for the this file is included in since 4381 DATs (07/26/2004)
The behaviour is simmilar to W32/Mydoom.o@MM and bears the following characteristics:
mass-mailing worm constructing messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address
contains a peer to peer propagation routine
Mail Propagation
From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:
mailer-daemon@(target_domain)
noreply@(target_domain)
The following display names are used in this case:
"Automatic Email Delivery Software"
"Bounced mail"
"MAILER-DAEMON"
"Mail Administrator"
"Mail Delivery Subsystem"
"Post Office"
"Returned mail"
"The Post Office"
Subject:
The following subjects are used:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

Info:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127173
http://www.pandasoftware.es/virus_info/enciclopedia/verficha.aspx?lst=vis&idvirus=50320
http://alerta-antivirus.red.es/virus/detalle_virus.html?cod=4137
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39752
http://www.pspl.com/virus_info/worms/mydoomo.htm
http://www.f-secure.com/v-descs/mydoom_o.shtml


Aggiornamento AntiVirus al 03/07/04 ;)(Y)

Giorgius
03-08-2004, 22.09.19
(ASCA) - Roma, 2 ago - Un virus identity file (Ide) che fornisce protezione e' disponibile sul sito di Sophos e sara' incluso nella versione di settembre 2004 (3.85) di Sophos Anti-Virus. Sophos ha ricevuto diverse segnalazioni su W32/MyDoom-O, un worm costituito da un file a 32 bit, conosciuto anche come Worm_Mydoom.m, I-Worm.Mydoom.m. Maggiori informazioni su W32/MyDoom-O sono disponibili all'indirizzo: www.sophos.com/virusinfo/analyses/w32mydoomo.html. Si puo' scaricare il file Ide su: www.sophos.com/downloads/ide/mydoom-o.ide. Per informazioni su come usare i file Ide, clicca qui: www.sophos.com/downloads/ide/using.html.

Giorgius
04-08-2004, 02.19.37
Another new version of MyDoom is worming its way through the Internet, and this variant—like the last one—uses Yahoo as part of its infection routine.

MyDoom.P is similar to most of the other MyDoom variants in that it arrives via e-mail, with a spoofed sending address and a subject line designed to make it look like the message is related to one that the recipient sent. Among the subject lines in the e-mails are "SN: New secure mail," "Secure delivery," "Re: Extended mail," "Delivery Status (Secure)," "Re: Server Reply" and "SN: Server Status"...

Leggi:
http://www.eweek.com/article2/0,1759,1630965,00.asp