Is there any Mydoom virus in your network? Use this filter to capture them

Discussion in 'Capsa Network Analyzer' started by Colasoft Support, Jul 3, 2011.

Thread Status:
Not open for further replies.
  1. Colasoft Support

    Colasoft Support Colasoft Moderator

    This is an advanced Capsa capture filter to capture only the traffic of the notorious and aged Mydoom virus. By using this filter, all packets matching the filter's conditions will be displayed and you know there is Mydoom virus movements in your network.

    Now download the filter and follow the instructions below to load and apply the filter.

    Download Mydoom worm virus filter: View attachment

    How to use this filter?

    1. Download the filter file and decompress it
    2. Run Capsa (if it's not installed, get one free)
    3. On the Start Page, click Set Capture Filter link on the upper right corner
    4. Click Import... icon down below the open Filter window
    5. Select the filter file and click Open
    6. Click No when see "Do you want to empty the existed packet filter in current list?"
    7. Then check the Accept checkbox back on the Filter window
    8. Click OK
    9. Click Start button to start a capture

    What is Mydoom worm?

    Defination from Wikipedia: Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on 26 January 2004. It became the fastest-spreading e-mail worm ever (as of January 2004), exceeding previous records set by the Sobig worm.
  2. Spooony

    Spooony Registered Member

    anything for conflicker?
  3. Colasoft Support

    Colasoft Support Colasoft Moderator

    Hi Spooony,

    On the web, we know Conficker worm is rampant and it has the following features:

    Domain controllers respond slowly to client requests.
    System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
    Port 445/TCP scanning (A/B)
    Multicast UPnP requests
    High-port TCP and UDP P2P Activity
    Abnormal DNS lookup activity

    The simplest way to find conficker is to start from DNS queries. Because the DNS queries are random, it's hard to offer a universal filter. We can find clues from the Log tab in Capsa, when you see lots of DNS error items, you should pay attention to them always. They may not be conficker, but definitely something is wrong.

    This picture shows the DNS activities of a typical Conficker worm.


    You may notice that the host sent DNS packets quickly and lots of error returned.
  4. Colasoft Support

    Colasoft Support Colasoft Moderator

  5. Spooony

    Spooony Registered Member

    Thanks man for the wonderfull reply. Even my wife understood it (and she only knows how to go on facebook and start Itunes).

    Scary thing about conflicker is it can sit and wait for years awaiting new instructions and a lot of users run their own private network these days. And unfortunately or fortunately depends what way you look at it systems are so good and quick these days so users who finds malware on a pc go by approach format that will remove a worm from my pc which is connected in a network. Then some time later they ask how they got infected again.
Thread Status:
Not open for further replies.