Mydoom worm

D

Dag33k

n00b
Joined
May 5, 2003
Messages
61
Aloha-
My neighbor opened an atachment on his email and of course it was Mydoom@MM. His anti-virus software picked it up and quarantined it. Just to let you know what I did was d/l the latest Stinger(mcafee AVERT) and scan his computer and the rest of the network computers he has. They came up clean. Are there other steps he should take? Any help would be appreciated.
dag33k:(
 
This seems like a non-issue. The AV caught it and quarantined it, so there is nothing else to be done.
 
Originally posted by Dag33k
Are there other steps he should take?
Click to expand...
I would very sternly inform him that when the next worm/virus/trojan/whatever comes out and carries a destructive payload, he will loose data if he pulls that stupid shit again.

How many times do we tell these people not to open attachments from unknown sources? And they still do it.
 
especially when its called document.doc.exe rofl
 
Thanks everyone for your comments. I told him the next time he pulls something like this he will get a bill from me and the [H]. haha Now one last question I have been told that this worm will leave behind a Trojan should this be a concern? If so how can I help him check for it?
dag33k
 
Originally posted by ambit
I would very sternly inform him that when the next worm/virus/trojan/whatever comes out and carries a destructive payload, he will loose data if he pulls that stupid shit again.
Click to expand...
And if that doesn't work, I'd break out the bat.

"This is going to hurt you a LOT more than it's going to hurt me"
 
http://www.f-secure.com/v-descs/novarg.shtml

all about MyDoom

it does indeed drop in a trojan

The backdoor component of Mydoom.A is dropped to the System Directory with the filename 'shimgapi.dll'. The file is added to the registy as:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]

This registry value makes Explorer to load the DLL as an extension so it is not visible as a separate process in Task Manager.

The backdoor listens on the first available TCP port between 3127 and 3198. Connecting to that port a remote attacker can

- use the infected computer as a TCP proxy

- upload and execute arbitrary executables to the infected computer
Click to expand...


There's a diagnosis + disinfection tool on that site
 
a buddy of mine works for a hosting company, and apparently there was 25,000+ e-mails/hr going through their network with mydoom.* (* for a or b)
 
sheesh ..lol

just cleaned friends comp ..he had 5 dif trojans ..but no doom ..yay
 
The really amazing thing is that it doesn't matter how smart you are, people still download the files,... I have gotten the infected emails numerous times in the past few days, some of them even coming from the listservs that i'm registered to in my college. This means that some1 with upper level access (IE Professors and Department heads) had to get their computer infected,...many of them have PHd's but,...unfortunately they don't understand not to open attachments and to scan their computers regularly. With all the virus's goin around, i update my definitions then scan my computer every night...so i know i'm not the problem,...

But still, it boggles the imagination how such smart people can fall for these simple ploys
 
Originally posted by TheTMan
The really amazing thing is that it doesn't matter how smart you are, people still download the files,... I have gotten the infected emails numerous times in the past few days, some of them even coming from the listservs that i'm registered to in my college. This means that some1 with upper level access (IE Professors and Department heads) had to get their computer infected,...many of them have PHd's but,...unfortunately they don't understand not to open attachments and to scan their computers regularly. With all the virus's goin around, i update my definitions then scan my computer every night...so i know i'm not the problem,...

But still, it boggles the imagination how such smart people can fall for these simple ploys
Click to expand...
Not exactly, remember this virus spoofs the address. Also, remember that outlook express ( outbreak express? ) slurps email addresses from all emails. So, as long as someone has the lists' address AND the professor's address in their book, they get hit
 
Originally posted by beachbum
Oh yeah well uh..... mine were all from china (exept for one) so BEAT THAT!!! j/k hahah:cool:
Click to expand...


hehe, how about a bunch of them came from a @hardocp.com address:eek:
 
Its kind of strange, Im getting emailed forwarded to me from people trying to send emails to for example "[email protected]" etc.. etc.. and of course there is no one under that name so it goes to me of course.
 
Originally posted by SupaFly99
I got hammered with it... but I never open attachments anyways :D
Click to expand...

ditto, unless I am expecting the file AND know who it's coming from and dosen't sound like document.doc.exe :eek: :eek:
 
You must log in or register to reply here.
Back
Top