Welcome!

Virtualization Authors: Jason Bloomberg, Pat Romanski, Dana Gardner, Liz McMillan, Maureen O'Gara

Related Topics: Virtualization, Java, XML, .NET, Linux

Virtualization: Article

Microsoft.com Is New Target for Network Worm "Double Whammy"

MyDoom.O and Google/Lycos/Altavista/Yahoo! attacks were maybe just the beginning, say experts.
By Security News Desk
Article Rating:
July 28, 2004 12:00 AM EDT
Reads:
 25,650
  • "Google's Down!?!?!?!?" - Google Search Performance Flubbed by MyDoom

    According to the Finnish anti-virus firm F-Secure, yesterday's MyDoom.O (or MyDoom.M) attacks on Google, Yahoo!, Altavista, and Lycos are part of a double whammy involving a new worm called Zindos. And the target of Zindos appears to be the Microsoft.com Web site.

    "Zindos and Mydoom.M work together," F-Secure reports this morning. "Mydoom.M laid out the path by infecting a large number of systems and preparing a list of them. Zindos hitches a ride on the Mydoom highway. It uses the lists and the backdors, prepared by Mydoom.M, to quickly spread and hit its target, which is www.microsoft.com."

    Zindos first arrives through the MyDoom.M backdoor, F-Secure explains. When uploaded to the victim, the worm file is dropped to the TEMP folder with a random name. The file is added to the registry as either of 

     [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Tray" = "%TEMP%\<random_name>.exe"


     [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Tray" = "%TEMP%\<random_name>.exe"

    To propagate itself, Zindos then uses the list of compromised computers collected by the MyDoom.M backdoor. The worm goes through the list and uploads itself with the corresponding command through the backdoor.

    The so-called "payload" of Zindos is a Distributed Denial-of-Service routine that downloads http://www.microsoft.com/ in an infinite loop with 50ms delays. The AP notes however that experts don't at present believe such a DDoS attack will "significantly" disrupt the Redmond giant's site performance.

    • Published July 28, 2004 – Reads 25,650
    Copyright © 2004 SYS-CON Media, Inc. — All Rights Reserved.
    Syndicated stories and blog feeds, all rights reserved by the author.

    More Stories By Security News Desk

    SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.

    Comments (4) View Comments

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

    Most Recent Comments
    chrojin 07/28/04 07:50:07 AM EDT

    well... how about this take? if you don't like microsoft, then simply help the worm spread. knowingly disable protection and then install on as many machines as possible. you can even get the people that trust your email address, further easily spreading it. if you know exactly what the worm does, and don't mind a little bandwidth being used - knowing you can clean the system (if it is yours) - is that still considered illegal?
    vandan 07/28/04 07:05:47 AM EDT

    I really am sick of viruses.
    Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers.

    Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation.

    If I were writing a worm, however, I'd take a different approach. I'd make it spread quietly, and then destroy the Windows install completely 1 day after infection. The whole freakin' lot. People who get viruses are asking for it. If you put your computer on the internet, you have a responsibility to do the right thing by everyone else. If you stick your head in the sand and click on all the 'click here' and 'free hardcore XXX' links, then come bitching to me when the whole thing comes crumbling to the ground then you really only have yourself to blame.

    ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean.

    Once a few viruses start doing this, people will get the hint and keep their systems secure.
    hdparm 07/28/04 07:04:53 AM EDT

    Whoever tries to muck around other people's computers should be prosecuted and punished
    ubf6RT 07/28/04 05:38:37 AM EDT

    since it is known as both MyDoom.M and MyDoom.O, and since Microsoft appears to one target (M)...can we expect the next target to be Oracle (O) - Or is it just coincidence?