| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 4 Aug 2004 13:22:21 -0000 From: <albatross@....it> To: bugtraq@...urityfocus.com Subject: New MyDoom variant The SANS Institute reports a new variant of MyDoom in the wild actually not recognized by AV vendors: New MyDoom On The Loose Initial analysis (we will update as we know more): Currently (16:00GMT), signatures are not yet available. UPDATED (17:00GMT): - Signatures are starting to come out, identifying this as MyDoom.O, MyDoom.P or Evaman.C - It appears that this may only work on Win2K and WinXP machines because the executable requires psapi.dll. - Copies itself to the Windows' system directory as winlibs.exe and installs itself under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UPDATED (17:30GMT) - *BETA* Snort Sigs: UPDATED (17:40GMT) - *BETA #2* Snort Sigs: UPDATED (19:30GMT) - *BETA #3* Snort Sigs: var YAHOO [216.109.127.126/32] #var YAHOO any pass tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\ sid:900018; rev:4; flow:established,to_server; flags:A+;\ flowbits:set,search_uri; content: "/py/psSearch.py|3f|";) alert tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\ sid:900018; rev:4; flow:established,to_server; flags:A+;\ flowbits:isset,search_uri; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM";) Targets Yahoo's people search: http://email.people.yahoo.com:80/py/psSearch.py? NEW (1700GMT)- Example packet capture: 12:23:22.922862 10.1.0.129.1035 > 216.109.127.126.80: P 5:310(305) ack 1 win 175 20 (DF) 0x0000 4500 0159 0077 4000 8006 96ba 0a01 0081 E..Y.w@......... 0x0010 d86d 7f7e 040b 0050 2217 187c 6b8a 5eb1 .m.~...P"..|k.^. 0x0020 5018 4470 46c9 0000 2f70 792f 7073 5365 P.DpF.../py/psSe 0x0030 6172 6368 2e70 793f 4669 7273 744e 616d arch.py?FirstNam 0x0040 653d 4a61 6d69 6526 696e 6465 783d 2048 e=Jamie&index=.H 0x0050 5454 502f 312e 300d 0a41 6363 6570 743a TTP/1.0..Accept: 0x0060 2069 6d61 6765 2f67 6966 2c20 696d 6167 .image/gif,.imag 0x0070 652f 782d 7862 6974 6d61 702c 2069 6d61 e/x-xbitmap,.ima 0x0080 6765 2f6a 7065 672c 2069 6d61 6765 2f70 ge/jpeg,.image/p 0x0090 6a70 6567 2c20 6170 706c 6963 6174 696f jpeg,.applicatio 0x00a0 6e2f 766e 642e 6d73 2d65 7863 656c 2c20 n/vnd.ms-excel,. 0x00b0 6170 706c 6963 6174 696f 6e2f 6d73 776f application/mswo 0x00c0 7264 2c20 6170 706c 6963 6174 696f 6e2f rd,.application/ 0x00d0 766e 642e 6d73 2d70 6f77 6572 706f 696e vnd.ms-powerpoin 0x00e0 742c 202a 2f2a 0d0a 4163 6365 7074 2d4c t,.*/*..Accept-L 0x00f0 616e 6775 6167 653a 2065 6e2d 7573 0d0a anguage:.en-us.. 0x0100 4163 6365 7074 2d45 6e63 6f64 696e 673a Accept-Encoding: 0x0110 2067 7a69 702c 2064 6566 6c61 7465 0d0a .gzip,.deflate.. 0x0120 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi 0x0130 6c6c 612f 342e 300d 0a48 6f73 743a 2045 lla/4.0..Host:.E 0x0140 4d41 494c 2e50 454f 504c 452e 5941 484f MAIL.PEOPLE.YAHO 0x0150 4f2e 434f 4d0d 0a0d 0a O.COM.... Message subjects(?): SN: New secure mail SN: New secure mail Secure delivery Secure delivery failed transaction failed transaction Re: hello (Secure-Mail) Re: hello (Secure-Mail) Re: Extended Mail Re: Extended Mail Delivery Status (Secure) Delivery Status (Secure) Re: Server Reply Re: Server Reply SN: Server Status SN: Server Status Message body contains(?): Automatically Secure Delivery: for Automatically Secure Delivery: for Mail Delivery Server System: for Mail Delivery Server System: for Extended secure mail message available at: Extended secure mail message available at: Secure Mail Server Notification: for Secure Mail Server Notification: for New mail secure method implement: for New mail secure method implement: for New policy requested by mail server to returned mail as a secure compiled attachment (Zip). New policy requested by mail server to returned mail as a secure compiled attachment (Zip). Now a new message is available as secure Zip file format. Due to new policies on clients. Now a new message is available as secure Zip file format. Due to new policies on clients. This message is available as a secure Zip file format due to a new security policy. This message is available as a secure Zip file format due to a new security policy. For security measures this message has been packed as Zip format. This is a newly added security feature. For security measures this message has been packed as Zip format. This is a newly added security feature. New policy recommends to enclose all messages as Zip format. Your message is available in this server notice. New policy recommends to enclose all messages as Zip format. Your message is available in this server notice. You have received a message that implements secure delivery technology. Message available as a secure Zip file. You have received a message that implements secure delivery technology. Message available as a secure Zip file. This message is an automatically server notice from Administration at This message is an automatically server notice from Administration at Server Notice: New security feature added. MSG:ID: 455sec86 Server Notice: New security feature added. MSG:ID: 455sec86 New feature added for security reasons New feature added for security reasons Automatically server notice:, Server reply from Automatically server notice:, Server reply from New service policy for security added from New service policy for security added from The executable contains the following names that are used to search Yahoo: Johnson, Williams, Wilson, Taylor, Anderson, Thomas, Jackson, Parker, Hernandez, Gonzalez, Roberts, Patricia, Margaret, Elizabeth, Anthony, Daniel, Patrick, Douglas, Carlos, Sanchez, Howard, Washington, Walter, Robinson, Miguel, Jennifer, Alberto, Mathew, Taylor, Walker, Mitchell, Carter, Nelson, Brooks, Jenkins, Coleman, Flores, Griffin, Morris, Rogers, Barbara, Angela, Amanda, Pamela, Martha, Frances, Cynthia, Stephanie, Nicole, Andrea, Rebeca, Steven, Anthony, George, Michael, Isabel, Marcos, Camilo, Salomon, Esteban, Francis, Nicholas, Samuel, Angela, Catherine, Susanna, Dorothy, Elizabeth, Andrew, Philip, Hester, Edward, Martin, Gabriel, Christopher, Lawrence, Christian, Christ, Dorcas, Rowland, Cecily, Margery, Turner, Torres, Brooks, Harrison, Gibson, Pierce, Arnold, Watkins, Medina, Mendoza, Santiago, Christina, Norris, Santos, Burgess, Valdez, Barber, Patton, Ortega, Estrada, Waters, Ashlee, Parson, Sparks, Morton, Allison, Monique, Summers, Cortez, Barton, Deleon, Harrell, Navarro, Woodard, Meyers, Petersen, Vannessa, Douglas, Joanna, Judith, Bridget, Jessica, Jeffrey, Timothy, Shirley, Kimberly, Sandra, Melissa, Virginia, Dennis, Junior, Heather, Collins, Garcia, Miller, Barton, Bridget, Gillian, Ursula, Hannah, Cooper, Watson, Bennett, Sanders, Ramirez, Bailey, Murphy, Campbell, Barnes, Alexis, Samantha, Madison, Joshua, Charles, Clinton, Lincoln, Houston, Claudia, Britney, Carson, Spider, Laster, Jolley, Galvin, Alecia, Karrie, Ivette, Freeman, Hunter, Simpson, Hamilton, Knight, Mcdonald, Elliott, Bradley, Duncan, Weaver, Fields, Chapman, Kelley, Wagner, Jacobs, Stanley, Fuller, Newman, Lambert, Cummings, Leonard, Barker, Norris.
Powered by blists - more mailing lists