lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040128003836.GA2755@verysecurelinux.com>
Date: Tue, 27 Jan 2004 19:38:36 -0500
From: Bob Toxen <bob@...ysecurelinux.com>
To: tlarholm@...x.com, bugtraq@...urityfocus.com
Subject: Re: New MiMail variant is DDoS'ing SCO.com


I had no problem downloading CA's cleansing tool a short time ago.
My hat is off to CA for producing this tool and making it available
for free.

Regarding the SCO DDoS, it's so sad when a thief (of services)
decides to attack a blackmailer, in my opinion.

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"
bob@...ysecurelinux.com (e-mail)

My recent talks on Linux security include:
  at IBM's Linux Competency Center in New York City     on Mar.  06 last year
  at the Atlanta SecureWorld Expo in Atlanta            on May   22 last year
  at the Enterprise Linux Forum in Silicon Valley       on June  04 last year
  at Computer Associates' Atlanta Linux Security Summit on Sep.  16 last year
  at Southeast Cybercrime Summit in Atlanta             on Mar. 2-5 2004
  at the FBI's Atlanta headquarters                     on Mar.  10 2004

Author,
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562
Also available in Japanese, Chinese, and Czech.

On Mon, Jan 26, 2004 at 04:03:30PM -0800, tlarholm@...x.com wrote:
> MiMail.R, also known as W32/Mydoom@MM (McAfee), Novarg (F-Secure),
> W32.Novarg.A@mm (Symantec), Win32.Mydoom.A (CA) and Win32/Shimg (CA), is
> a polymorphic variant that collects/spams/forges email addresses using
> its own SMTP engine, installs a backdoor (most likely for use by
> spammers) and engages in a DDoS attack against SCO.com by routinely
> sending 63 HTTP requests. It's send as a ZIP attachment containing an
> executable file with the file extension masked by numerous spaces.
> 
> McAfee is calling this a High Outbreak worm, which definitely fits the
> bill according to the number of samples we are receiving.
> 
> Is the SCO.com DDoS an attempt at distraction from the fact that this
> virus installs a proxy backdoor?
> 
> CA used to have a removal tool at
> 
> http://www3.ca.com/Files/VirusInformationAndPrevention/clnshimg.zip
> 
> but it's no longer available.
> 
> More information:
> 
> http://us.mcafee.com/virusInfo/default.asp?id=mydoom
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM
> AIL.R
> http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.
> html
> http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=54593
> 
> 
> 
> Regards
> 
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@...x.com
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
> 
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix
> <http://www.qwik-fix.net> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ