MyDoom Backdoor Useage

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

Does anyone have any information on how the backdoor on the MyDoom virus is
being used? All I acn find is this:
---------------------------------------------------------------
"Attackers have begun scanning for and are potentially compromising infected
systems," Symantec warns. "They are targeting the backdoor" on port 3127,
"which can allow them to upload new malicious code as well as use the infected
system to launch further attacks and forward SPAM email."
---------------------------------------------------------------

I have evidence of a dramatic increase in Spam activity (4 fold) that coincides
with the introduction of this virus, and I am wondering if anyone has any
further information.

J.A. Coutts
Systems Engineer
MantaNet/TravPro
 
John Coutts said:
Does anyone have any information on how the backdoor on the MyDoom virus is
being used? All I acn find is this:
---------------------------------------------------------------
"Attackers have begun scanning for and are potentially compromising infected
systems," Symantec warns. "They are targeting the backdoor" on port 3127,
"which can allow them to upload new malicious code as well as use the infected
system to launch further attacks and forward SPAM email."
---------------------------------------------------------------

I have evidence of a dramatic increase in Spam activity (4 fold) that coincides
with the introduction of this virus, and I am wondering if anyone has any
further information.

When this file is run it copies itself to the local system with the
following filenames:

c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
%SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example
C:\WINDOWS\SYSTEM)

It also uses a DLL that it creates in the Windows System directory:


It also uses a DLL that it creates in the Windows System directory:

%SysDir%\shimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The worm opens a connection on TCP port 3127 suggesting remote access
capabilities

You can use stinger to remove it http://vil.nai.com/vil/stinger/
 
John said:
I have evidence of a dramatic increase in Spam activity (4 fold) that coincides
with the introduction of this virus, and I am wondering if anyone has any
further information.
Actually I noticed a dramatic decrease in Spam activity since this worm
is out!
 
Back
Top