I've stopped getting "My Doom"

  • Thread starter Thread starter Brendan DJ Murphy
  • Start date Start date
B

Brendan DJ Murphy

A few days ago, I was still getting inundated with emails with the "My Doom" virus.

Today, suddenly, not even one.

Usually viruses dissipate slowly but it appears that "My Doom" has completely stopped all of a
sudden.
 
Brendan DJ Murphy said:
A few days ago, I was still getting inundated with emails with the "My Doom" virus.
Click to expand...

Same here.
Today, suddenly, not even one.
Click to expand...

Almost same here. Got one sample, probably from a system with a wrong
date setting.
Usually viruses dissipate slowly but it appears that "My Doom" has completely stopped all of a
sudden.
Click to expand...

It's because of this (Novarg, alias MyDoom):
http://www.f-secure.com/v-descs/novarg.shtml

<quote>
"Mydoom is programmed to stop spreading on February 12th."
</quote>

But only because it stopped spreading, this doesn't mean that there
aren't thousands computers still infected with it, incl. backdoor.

Regards
Gabriela
 
But only because it stopped spreading, this doesn't mean that there
aren't thousands computers still infected with it, incl. backdoor.
Click to expand...

....and all it'll take is some script kiddie to release a new variant
with the EOL date modified, no coding experience required.
 
Gabriela Salvisberg said:
It's because of this (Novarg, alias MyDoom):
http://www.f-secure.com/v-descs/novarg.shtml

<quote>
"Mydoom is programmed to stop spreading on February 12th."
</quote>
Yep...

But only because it stopped spreading, this doesn't mean that there
aren't thousands computers still infected with it, incl. backdoor.
Click to expand...

Also correct. In fact, multiple Vesser (aka Deadhat) and Doomjuice variants
(and probably much straight out port scaning) are still busily scanning the
Internet for open "Mydoom ports":

http://isc.sans.org/index.html?type=0

Further, it seems at least two SDBot variants or derivatives have been altered
to include a "spread via Mydoom port" option, or at least they are being
distributed via a "manual" Mydoom spreading script (as I'm getting these from
many IPs I guess the former is more likely but have not had time to analyse
the code yet).
 
Back
Top