New MiMail variant is DDoS'ing SCO.com

• Previous message: Peter Winter-Smith: "ProxyNow! 2.x Multiple Overflow Vulnerabilities"
• Next in thread: Bob Toxen: "Re: New MiMail variant is DDoS'ing SCO.com"
• Reply: Bob Toxen: "Re: New MiMail variant is DDoS'ing SCO.com"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 Jan 2004 16:03:30 -0800
To: <bugtraq@securityfocus.com>

MiMail.R, also known as W32/Mydoom@MM (McAfee), Novarg (F-Secure),
W32.Novarg.A@mm (Symantec), Win32.Mydoom.A (CA) and Win32/Shimg (CA), is
a polymorphic variant that collects/spams/forges email addresses using
its own SMTP engine, installs a backdoor (most likely for use by
spammers) and engages in a DDoS attack against SCO.com by routinely
sending 63 HTTP requests. It's send as a ZIP attachment containing an
executable file with the file extension masked by numerous spaces.

McAfee is calling this a High Outbreak worm, which definitely fits the
bill according to the number of samples we are receiving.

Is the SCO.com DDoS an attempt at distraction from the fact that this
virus installs a proxy backdoor?

CA used to have a removal tool at

http://www3.ca.com/Files/VirusInformationAndPrevention/clnshimg.zip

but it's no longer available.

More information:

http://us.mcafee.com/virusInfo/default.asp?id=mydoom
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM
AIL.R
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.
html
http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=54593

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

• Previous message: Peter Winter-Smith: "ProxyNow! 2.x Multiple Overflow Vulnerabilities"
• Next in thread: Bob Toxen: "Re: New MiMail variant is DDoS'ing SCO.com"
• Reply: Bob Toxen: "Re: New MiMail variant is DDoS'ing SCO.com"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] New MiMail variant is DDoSing SCO.com ... installs a backdoor (most likely for use by ... spammers) and engages in a DDoS attack against SCO.com by routinely ... McAfee is calling this a High Outbreak worm, ... (Full-Disclosure) Re: Office documents opening very slowly ... I looked at McAfee only because I found documentation of a similar problem ... I have tried all of these recommendations except the system restore (I'm not ... > software/hardware installs? ... > that point it was still not working properly, I would uninstall Office XP ... (microsoft.public.windowsxp.perform_maintain) Windows Bot/Trojan/Backdoor scanner ... backdoor software on the Windows platform. ... been compromised by a worm such as msblast or bugbear which installs a ... in the wild has faced additional compromises, ... Captus Networks ... (Security-Basics) Re: IIS Dont Serve Outside of Network ... >program installs. ... I purchased McAfee Internet Security Suite 7 a few days ago ... my website worked just fine. ... >uninstalled McAfee Personal Firewall which left me with only two McAfee ... (microsoft.public.win2000.networking) IIS Dont Serve Outside of Network ... I was running McAfee Personal Firewall Plus, and McAfee VirusScan as seperate ... program installs. ... my website worked just fine. ... (microsoft.public.win2000.networking)