Bugtraq mailing list archives
Re: New MiMail variant is DDoS'ing SCO.com
From: Bob Toxen <bob () verysecurelinux com>
Date: Tue, 27 Jan 2004 19:38:36 -0500
I had no problem downloading CA's cleansing tool a short time ago. My hat is off to CA for producing this tool and making it available for free. Regarding the SCO DDoS, it's so sad when a thief (of services) decides to attack a blackmailer, in my opinion. Best regards, Bob Toxen, CTO Fly-By-Day Consulting, Inc. "Your expert in Firewalls, Virus and Spam Filters, VPNs, Network Monitoring, and Network Security consulting" bob () verysecurelinux com (e-mail) My recent talks on Linux security include: at IBM's Linux Competency Center in New York City on Mar. 06 last year at the Atlanta SecureWorld Expo in Atlanta on May 22 last year at the Enterprise Linux Forum in Silicon Valley on June 04 last year at Computer Associates' Atlanta Linux Security Summit on Sep. 16 last year at Southeast Cybercrime Summit in Atlanta on Mar. 2-5 2004 at the FBI's Atlanta headquarters on Mar. 10 2004 Author, "Real World Linux Security: Intrusion Detection, Prevention, and Recovery" 2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562 Also available in Japanese, Chinese, and Czech. On Mon, Jan 26, 2004 at 04:03:30PM -0800, tlarholm () pivx com wrote:
MiMail.R, also known as W32/Mydoom@MM (McAfee), Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32.Mydoom.A (CA) and Win32/Shimg (CA), is a polymorphic variant that collects/spams/forges email addresses using its own SMTP engine, installs a backdoor (most likely for use by spammers) and engages in a DDoS attack against SCO.com by routinely sending 63 HTTP requests. It's send as a ZIP attachment containing an executable file with the file extension masked by numerous spaces. McAfee is calling this a High Outbreak worm, which definitely fits the bill according to the number of samples we are receiving. Is the SCO.com DDoS an attempt at distraction from the fact that this virus installs a proxy backdoor? CA used to have a removal tool at http://www3.ca.com/Files/VirusInformationAndPrevention/clnshimg.zip but it's no longer available. More information: http://us.mcafee.com/virusInfo/default.asp?id=mydoom http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM AIL.R http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm. html http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=54593 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>
Current thread:
- New MiMail variant is DDoS'ing SCO.com tlarholm (Jan 27)
- Re: New MiMail variant is DDoS'ing SCO.com Bob Toxen (Jan 28)