Wednesday, July 28, 2004

MyDoom returns

The latest version of the MyDoom could be just the first stage of a two-stage attack targeting Microsoft's main website according to the Register.

"MyDoom-M (AKA MyDoom-O) is a mass-mailing worm that opens a back door - Zincite-A - on port 1034/TCP of compromised PCs. This gives attackers remote, unauthorised access to infected PCs. First spotted on Monday afternoon, MyDoom-M has spread like wildfire, causing availability problems for leading search engines because of its use of sites such as Google to hunt for email addresses to attack.

Finnish anti-virus firm F-Secure is reporting the spread of a new worm, Zindos, which works together with MyDoom. Zindos-A is now hitching a ride on the back of the MyDoom, using the infected machine lists and the backdoors prepared by MyDoom-M, to spread. Zindos's payload includes a denial of service attack on www.microsoft.com. Once Zindos has infected a machine it causes the machine to request the http://www.microsoft.com/ domain in an infinite loop, with 50ms delays. This behaviour could help to explain the difficulties some Reg experienced visiting the software giant's website earlier this week."