Doomhunter-the first 'good' virus??

  • Thread starter Thread starter MJD
  • Start date Start date
M

MJD

Discovered 13/2/04
According to the major players, this worm enters ONLY computers infected by
the Mydoom worm.
Because it only enters by the backdoor created by Mydoom infection then uses
Mydoom itself to execute it.
Then it tries to delete Mydoom from the infected system.
It even includes (basic) instructions for removal of itself.
But the Major Players just treat it as one more 'nasty'. WHY????

Opinions?

My 2 cents:
Mydoom was reasonably 'clever' but THIS is smart!
Wasn't one of the original ideas about viruses that they could be used
beneficially, like magic bullets?
Interesting to note the dramatic reduction in Mydoom traffic! It just might
be working.
 
Opinions?

My 2 cents:
Mydoom was reasonably 'clever' but THIS is smart! Wasn't one of the
original ideas about viruses that they could be used beneficially, like
magic bullets?
Interesting to note the dramatic reduction in Mydoom traffic! It just
might be working.
Click to expand...


It doesn't.. been there.. done that with Fizzer.

For a more realistic look at the "mess" it creates, see: W32/Nachi and
W32/Welchi. A prime example of this exact scenario failing _miserably_.

We live and learn =)



Regards,

Ian
 
MJD said:
Discovered 13/2/04
According to the major players, this worm enters ONLY computers infected by
the Mydoom worm.
Because it only enters by the backdoor created by Mydoom infection then uses
Mydoom itself to execute it.
Then it tries to delete Mydoom from the infected system.
It even includes (basic) instructions for removal of itself.
But the Major Players just treat it as one more 'nasty'. WHY????
Click to expand...

"Are good computer viruses still a bad idea"
http://www.virusbtn.com/old/OtherPapers/GoodVir/
 
Discovered 13/2/04
According to the major players, this worm enters ONLY computers infected by
the Mydoom worm.
Because it only enters by the backdoor created by Mydoom infection then uses
Mydoom itself to execute it.
Then it tries to delete Mydoom from the infected system.
It even includes (basic) instructions for removal of itself.
But the Major Players just treat it as one more 'nasty'. WHY????

Opinions?

My 2 cents:
Mydoom was reasonably 'clever' but THIS is smart!
Wasn't one of the original ideas about viruses that they could be used
beneficially, like magic bullets?
Interesting to note the dramatic reduction in Mydoom traffic! It just might
be working.
Click to expand...

mydoom expired on 12th Feb - it will nonlonger keep sending out emails
from infected PCs
 
mydoom expired on 12th Feb - it will nonlonger keep sending out emails
from infected PCs
Click to expand...

It will if the RTC is wrong.

--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d- s: a--- C+++ UL++++ UB+++ P+ L++ W+ N++
w--- PGP++ t+ 5++ X++ tv b DI+ D++
------END GEEK CODE BLOCK------
 
It will if the RTC is wrong.
Click to expand...

Have I missed something here - does mydoom interfere with the real
time clock ?

If not, then my comment stands - there will be a drastic reduction in
mydoom after 12th Feb - as the OP had noticed.

Just giving a more realistic explanation than the exploits of the so
called "good" virus.
 
Alastair said:
mydoom expired on 12th Feb - it will nonlonger keep sending out emails
from infected PCs
Click to expand...

Did it also close that back door?

Ifno, then it's not really "expired".
 
Did it also close that back door?

Ifno, then it's not really "expired".
Click to expand...

FFS read the thread - the OP said that this doomhunter virus was
responsible for the drastic drop in emails traffic due to doom virus -
I just pointed out what I had learnt- the doom virus stops sending
out any further emails from infected PCs.

So - drop in traffic due to the way doom was written - not antidoom.

and yes - the backdoor is still open - and you are still infected -
but the traffic will drop.

Jeez !
 
Thanks all, for the sensible responses.
The most comprehensive and considered response, however, came from Gladius,
and I bow to his opinion.
I particularly like his comments regarding who might have written it!
He said,
"Actually, Welchia/Nachi was an attempt at a "good" worm, in that it tried
to
download patches to fix the Blaster worm, and it also tried to remove that
worm. Unfortunately, it was far from good, in that the amount of traffic it
generated from its network scans would effecitvely disable (DoS) a network.
The Doomjuice worm is also far from good - it exploits the backdoor that the
MyDoom worm created (it's almost certainly written by the MyDoom author),
and
it doesn't matter that tries to remove MyDoom - that worm expired on the
12th
Feb anyway - but leaves its backdoor active - doomjuice still replicates
through that backdoor, and drops a version of the MyDoom source code onto
infected machines - presumably in an attempt to use this as a defence should
they be arrested - they can claim that they were infected by Doomjuice, and
that's why they have the MyDoom code. There's nothing good about it.
Recently a new version of Welchia has come out, and once again, it tries
to disable other viruses. This is actually a really long tradition - some of
the Ethan macro viruses tried to disable other macro viruses. Code Blue was
an attempt to disable Code Red, the list of these attempts is long.
The fact remains, you cannot fight malware by using malware, there's just
too
much risk, and too many chances to f**k it up. Malware writers do not have
any common sense, that's why they try to convince you what they are doing
is
benign, but no one in their right mind wants any uncontrolled and
uncontrollable malware on their system.
I said as much over 2 years ago
http://www.virusbtn.com/magazine/archives/pdf/2001/200110.PDF
(see the second page - "A worm by any other name"
 
On that special day, Alastair Smeaton, ([email protected]) said...
FFS read the thread - the OP said that this doomhunter virus was
responsible for the drastic drop in emails traffic due to doom virus -
Click to expand...

Didn't you read the various descriptions of the MyDoom variants given by
the AV vendors? Both do have a deadline, and from then on, won't mail
themselves out any more. Just like the SoBig variants. This ain't the
result of any given anti MyDoom worm at all.


Gabriele Neukam

(e-mail address removed)
 
kurt said:
"Are good computer viruses still a bad idea"
http://www.virusbtn.com/old/OtherPapers/GoodVir/
Click to expand...
It exploits DCOM RPC and makes the system unstable. How is this a good
virus? The answer, there is no such thing as a good virus. Are you
dreaming of a saprophytic relationship between antivirus companies and
malicious coders?

Dream on :-)

(There actually is a saprophytic relationship, if there were no
malicious coders (virus writers) there would be no business for
antivirus vendors but in this case no.

Regards, Ian.
 
Ian said:
It exploits DCOM RPC and makes the system unstable. How is this a good
virus? The answer, there is no such thing as a good virus. Are you
dreaming of a saprophytic relationship between antivirus companies and
malicious coders?

Dream on :-)
Click to expand...

perhaps next time you could do us a favour and read what you're
replying to before you reply...

the OP clearly was under the impression that doomhunter might fall
under the category of good virus so i pointed him at a paper that
covers just what does and what doesn't fall under that category..
 
On that special day, Alastair Smeaton, ([email protected]) said...


Didn't you read the various descriptions of the MyDoom variants given by
the AV vendors? Both do have a deadline, and from then on, won't mail
themselves out any more. Just like the SoBig variants. This ain't the
result of any given anti MyDoom worm at all.


Gabriele Neukam

(e-mail address removed)
Click to expand...

Yes I did ! - exactly the point I was making - the OP suggested that
the antidoom virus was working, and responsible for the drop in emails
on the 12th and after.

I pointed out, after checking with AV sites, that even if nothing else
happened - these emails will drop in number.

Simple point - puzzled as to why people have been critical - I was
only trying to help the OP - as I repeated above in what you quoted.
 
Back
Top