MyDoom auther may be covering tracks

Discussion in 'malware problems & news' started by NeonWizard, Feb 10, 2004.

Thread Status:
Not open for further replies.
  1. NeonWizard

    NeonWizard Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    64
    Location:
    Vancouver,Canada
    A worm that started spreading on Sunday places the source code for the original MyDoom virus on a victims' hard drives, an action equivalent to planting evidence, antivirus experts said Tuesday.

    The worm, Doomjuice, spreads to computers that have already been infected by either the original MyDoom virus or the MyDoom.B variant, and among other actions, places several copies of the source code for MyDoom.A on the victim's computer.

    The author may be using the tactic to create a crowd of PC users in which to hide, or the author could be spreading the code in hopes that other virus writers will create variations on MyDoom, said Graham Cluley, senior technology consultant for antivirus firm Sophos.

    Read Article
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    with a $250.000 reward out for him or her they may just be trying to hide. I think I would. ;)
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Could this be a reason for the sudden extra amount of portscans on TCP port 3127, which is one of the backdoors opened by MyDoom?
    Do infected victims portscan to spread further? The scans come from everywhere! Was a Ddos part of the payload? Thought only on the microsoft and sco.com sites?


    http://isc.sans.org/port_details.html?port=3127
    port 3127-3198 are used by MyDoom, and 10080 also by MyDoom-B
    http://www.viruslist.com/eng/viruslist.html?id=942691
    Here's the juice variant B already.
    So the portscan 3127 story i mentioned here above fits unfortunately.
     
Loading...
Thread Status:
Not open for further replies.