lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040804132221.1879.qmail@www.securityfocus.com>
Date: 4 Aug 2004 13:22:21 -0000
From: <albatross@....it>
To: bugtraq@...urityfocus.com
Subject: New MyDoom variant




The SANS Institute reports a new variant of MyDoom in the wild actually not recognized by AV vendors:

New MyDoom On The Loose 

Initial analysis (we will update as we know more): 

Currently (16:00GMT), signatures are not yet available.
UPDATED (17:00GMT):
- Signatures are starting to come out, identifying this as MyDoom.O, MyDoom.P or Evaman.C
- It appears that this may only work on Win2K and WinXP machines because the executable requires psapi.dll.
- Copies itself to the Windows' system directory as winlibs.exe and installs itself under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

UPDATED (17:30GMT) - *BETA* Snort Sigs:
UPDATED (17:40GMT) - *BETA #2* Snort Sigs:
UPDATED (19:30GMT) - *BETA #3* Snort Sigs:


var YAHOO [216.109.127.126/32]
#var YAHOO any
pass tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\
	sid:900018; rev:4; flow:established,to_server; flags:A+;\
	flowbits:set,search_uri; content: "/py/psSearch.py|3f|";)
alert tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\
	sid:900018; rev:4; flow:established,to_server; flags:A+;\
	flowbits:isset,search_uri; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM";)

Targets Yahoo's people search: 

http://email.people.yahoo.com:80/py/psSearch.py? 

NEW (1700GMT)- Example packet capture:

12:23:22.922862 10.1.0.129.1035 > 216.109.127.126.80: P 5:310(305) ack 1 win 175 20 (DF)
0x0000   4500 0159 0077 4000 8006 96ba 0a01 0081        E..Y.w@.........
0x0010   d86d 7f7e 040b 0050 2217 187c 6b8a 5eb1        .m.~...P"..|k.^.
0x0020   5018 4470 46c9 0000 2f70 792f 7073 5365        P.DpF.../py/psSe
0x0030   6172 6368 2e70 793f 4669 7273 744e 616d        arch.py?FirstNam
0x0040   653d 4a61 6d69 6526 696e 6465 783d 2048        e=Jamie&index=.H
0x0050   5454 502f 312e 300d 0a41 6363 6570 743a        TTP/1.0..Accept:
0x0060   2069 6d61 6765 2f67 6966 2c20 696d 6167        .image/gif,.imag
0x0070   652f 782d 7862 6974 6d61 702c 2069 6d61        e/x-xbitmap,.ima
0x0080   6765 2f6a 7065 672c 2069 6d61 6765 2f70        ge/jpeg,.image/p
0x0090   6a70 6567 2c20 6170 706c 6963 6174 696f        jpeg,.applicatio
0x00a0   6e2f 766e 642e 6d73 2d65 7863 656c 2c20        n/vnd.ms-excel,.
0x00b0   6170 706c 6963 6174 696f 6e2f 6d73 776f        application/mswo
0x00c0   7264 2c20 6170 706c 6963 6174 696f 6e2f        rd,.application/
0x00d0   766e 642e 6d73 2d70 6f77 6572 706f 696e        vnd.ms-powerpoin
0x00e0   742c 202a 2f2a 0d0a 4163 6365 7074 2d4c        t,.*/*..Accept-L
0x00f0   616e 6775 6167 653a 2065 6e2d 7573 0d0a        anguage:.en-us..
0x0100   4163 6365 7074 2d45 6e63 6f64 696e 673a        Accept-Encoding:
0x0110   2067 7a69 702c 2064 6566 6c61 7465 0d0a        .gzip,.deflate..
0x0120   5573 6572 2d41 6765 6e74 3a20 4d6f 7a69        User-Agent:.Mozi
0x0130   6c6c 612f 342e 300d 0a48 6f73 743a 2045        lla/4.0..Host:.E
0x0140   4d41 494c 2e50 454f 504c 452e 5941 484f        MAIL.PEOPLE.YAHO
0x0150   4f2e 434f 4d0d 0a0d 0a                         O.COM....


Message subjects(?): 

SN: New secure mail
SN: New secure mail
Secure delivery
Secure delivery
failed transaction
failed transaction
Re: hello (Secure-Mail)
Re: hello (Secure-Mail)
Re: Extended Mail
Re: Extended Mail
Delivery Status (Secure)
Delivery Status (Secure)
Re: Server Reply
Re: Server Reply
SN: Server Status
SN: Server Status


Message body contains(?): 

Automatically Secure Delivery: for 
Automatically Secure Delivery: for 
Mail Delivery Server System: for 
Mail Delivery Server System: for 
Extended secure mail message available at:
Extended secure mail message available at: 
Secure Mail Server Notification: for 
Secure Mail Server Notification: for 
New mail secure method implement: for 
New mail secure method implement: for 
New policy requested by mail server to returned mail
as a secure compiled attachment (Zip).
New policy requested by mail server to returned mail
as a secure compiled attachment (Zip).
Now a new message is available as secure Zip file format.
Due to new policies on clients.
Now a new message is available as secure Zip file format.
Due to new policies on clients.
This message is available as a secure Zip file format
due to a new security policy.
This message is available as a secure Zip file format
due to a new security policy.
For security measures this message has been packed as Zip format.
This is a newly added security feature.
For security measures this message has been packed as Zip format.
This is a newly added security feature.
New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.
New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.
You have received a message that implements secure delivery technology.
Message available as a secure Zip file.
You have received a message that implements secure delivery technology.
Message available as a secure Zip file.
This message is an automatically server notice
from Administration at
This message is an automatically server notice
from Administration at
Server Notice: New security feature added. MSG:ID: 455sec86
Server Notice: New security feature added. MSG:ID: 455sec86
New feature added for security reasons
New feature added for security reasons
Automatically server notice:,
Server reply from 
Automatically server notice:,
Server reply from 
New service policy for security added from
New service policy for security added from


The executable contains the following names that are used to search Yahoo:
Johnson, Williams, Wilson, Taylor, Anderson, Thomas, Jackson, Parker, Hernandez, Gonzalez, Roberts, Patricia, Margaret, Elizabeth, Anthony, Daniel, Patrick, Douglas, Carlos, Sanchez, Howard, Washington, Walter, Robinson, Miguel, Jennifer, Alberto, Mathew, Taylor, Walker, Mitchell, Carter, Nelson, Brooks, Jenkins, Coleman, Flores, Griffin, Morris, Rogers, Barbara, Angela, Amanda, Pamela, Martha, Frances, Cynthia, Stephanie, Nicole, Andrea, Rebeca, Steven, Anthony, George, Michael, Isabel, Marcos, Camilo, Salomon, Esteban, Francis, Nicholas, Samuel, Angela, Catherine, Susanna, Dorothy, Elizabeth, Andrew, Philip, Hester, Edward, Martin, Gabriel, Christopher, Lawrence, Christian, Christ, Dorcas, Rowland, Cecily, Margery, Turner, Torres, Brooks, Harrison, Gibson, Pierce, Arnold, Watkins, Medina, Mendoza, Santiago, Christina, Norris, Santos, Burgess, Valdez, Barber, Patton, Ortega, Estrada, Waters, Ashlee, Parson, Sparks, Morton, Allison, Monique, Summers, Cortez, Barton, Deleon, Harrell, Navarro, Woodard, Meyers, Petersen, Vannessa, Douglas, Joanna, Judith, Bridget, Jessica, Jeffrey, Timothy, Shirley, Kimberly, Sandra, Melissa, Virginia, Dennis, Junior, Heather, Collins, Garcia, Miller, Barton, Bridget, Gillian, Ursula, Hannah, Cooper, Watson, Bennett, Sanders, Ramirez, Bailey, Murphy, Campbell, Barnes, Alexis, Samantha, Madison, Joshua, Charles, Clinton, Lincoln, Houston, Claudia, Britney, Carson, Spider, Laster, Jolley, Galvin, Alecia, Karrie, Ivette, Freeman, Hunter, Simpson, Hamilton, Knight, Mcdonald, Elliott, Bradley, Duncan, Weaver, Fields, Chapman, Kelley, Wagner, Jacobs, Stanley, Fuller, Newman, Lambert, Cummings, Leonard, Barker, Norris. 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ