So the latest on the block is MyDoom.M and it seems that this worm is very fast to spread. I've already received a few messages to my work account. Now as we run Solaris, there is no real effect apart from extra load on the mail servers. Some of the aliases that are global that the worm has been sending itself to, have been gathered from infected machines that do run MS OS's, such as laptops so the worm is able to spread itself out to these addresses from the inside of the SWAN (Sun Wide Area Network) when they are connected internally or via VPN.
Even when you have a network with virtually no infected systems connected, all it takes is one machine to still cause issues. Most global aliases have no need to except external mail so that cuts it down, but when you have infected systems that connect, issues still arise, in this case mostly just increased mail activity but for other networks, worm such as this will have much more of an effect as probably all machines just about, are Windows based. The from field of the email received is spoofed and when infected a backdoor is installed which is known as Backdoor.Zincite.A, on port 1034/tcp.
The following registry keys are created:
* HKEY_LOCAL_MACHINE\Software\Daemon
* HKEY_CURRENT_USER\Software\Daemon
And it copies itself to the system as:
* %Windir%\java.exe
* %Windir%\services.exe
The following values are added to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"
So the worm is loaded when Windows boots. It is being reported that this is classed as quite severe due to the rate at which it appears to be spreading. For a full analysis go here. You would be advised to update your AV software.
Post ID: 454, posted by jase at 12:38 PMThanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved before your comment will appear.)