Wednesday, October 20, 2021

MyDoom’s One-Two Punch Lacks Wallop

With the latest MyDoom variant largely under control, the second wave of

the virus author’s attack is losing steam, according to security

analysts.

It seems that what was meant to be a digital one-two punch is lacking

the necessary wallop.

”Companies pretty much have MyDoom under control and that took the

steam out of Zindos,” says Steve Sundermeier, a vice president with

Medina, Ohio-based Central Command. ”If this latest version of MyDoom

had been more successful, it would have been a completely different

story.”

MyDoom, which caused considerable disruption when it was originally

released into the Wild this past January, reappeared earlier this week

in the form of a new variant. The variant, named by different anti-virus

vendors as either MyDoom-M, MyDoom-N or MyDoom-O, was first detected in

the United Kingdom on Monday and quickly started to spread.

Analysts at MessageLabs, Inc., a managed email security company based in

New York, report that in the first 24 hours they intercepted 599,641

copies of the virus. But that pales in comparison to the original —

MyDoom-A — which released more than 5 million copies into the Wild in

its first 24 hours.

What makes the latest MyDoom variant interesting is the new twist in how

it propagates. The worm contains links to several different search

engines and runs ‘get requests’ on them to harvest email addresses.

Security analysts say some search engine sites, such as Google,

reportedly experienced some slow downs and possibly even intermittent

interruptions.

The worm also carries a Trojan that is installed on TCP Port 1034.

And that open port ushers in what analysts say was surely a planned

second wave of the attack.

On Tuesday, analysts at iDefense, a security intelligence company based

in Reston, Va., reported finding Zindos-A in the Wild. The malware scans

for randomized IP addresses with TCP port 1034 open. This is the port

that the new MyDoom variant opens. Once it finds that open port,

Zindos-A uploads a copy of itself, which is then executed by a mechanism

inside the new MyDoom variant. After creating a .exe file on the

infected computer and modifying the Windows registry, Zindos-A launches

a denial-of-service attack against the Microsoft.com Web site.

But Ken Dunham, director of malicious code for iDefense, notes that with

the MyDoom threat being buttoned up, there isn’t much opportunity for

Zindos-A to take hold.

”There was a rapid response from anti-virus companies… and the sheer

number of MyDoom infections has dropped dramatically over the last 24

hours,” says Dunham. ”Corporations removed the MyDoom threat and that

cuts off the potential for Zindos to have a big affect. Without the

MyDoom infection, Zindos has nothing to infect.”

But Dunham says analysts are still on alert for the multi-layered attack

to potentially continue.

”It’s all part of a planned attack, and we’re not sure the attack is

over,” he adds. ”We’re definitely on alert status, recognizing the

potential for additional code to be launched.”

Similar articles

Latest Articles