Al-Arab Blog - مدونة العرب
٢٠٠٤/٠١/٢٩
Targeting The Big Corps : NEW Virus : Mydoom.B DDOS Attack Thread every 1024 milliseconds
F-Secure Computer Virus Information Pages: Mydoom.B
Payload
The worm will perform a DDoS attack against www.microsoft.com on 3rd of February 2004 at 13:09:18 (UTC) and www.sco.com on 1st of February 2004 at 16:09:18 (UTC).
The DDoS attack launches 8 threads against www.sco.com every 1024 milliseconds.
The other DDoS attack launches 14 threads against www.microsoft.com every 1024 milliseconds.
The hosts file in the infected machines will be modified so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 0.0.0.0, rendering them unaccessible.
The full contents of this file follow (The file is encrypted within the worms code):
0.0.0.0 engine.awaps.net awaps.net www.awaps.net ad.doubleclick.net
0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net
0.0.0.0 www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
0.0.0.0 ftp.f-secure.com securityresponse.symantec.com
0.0.0.0 www.symantec.com symantec.com service1.symantec.com
0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com
0.0.0.0 support.microsoft.com downloads.microsoft.com
0.0.0.0 download.microsoft.com windowsupdate.microsoft.com
0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com
0.0.0.0 nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
0.0.0.0 networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
0.0.0.0 www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com
0.0.0.0 www3.ca.com ca.com www.ca.com www.my-etrust.com
0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net
An additional line is added before the the date when attack against Microsoft begins:
0.0.0.0 www.microsoft.com
Which will make the site unaccessible. The 3rd of February the entry will be removed so the attack can be performed, which will probably cause some difficulties reaching it, if the DDoS is successful.
The modifications in the hosts file are probably targeted so that customers of the most widespread Anti-Virus products can't download new updates to disinfect the worm.
Payload
The worm will perform a DDoS attack against www.microsoft.com on 3rd of February 2004 at 13:09:18 (UTC) and www.sco.com on 1st of February 2004 at 16:09:18 (UTC).
The DDoS attack launches 8 threads against www.sco.com every 1024 milliseconds.
The other DDoS attack launches 14 threads against www.microsoft.com every 1024 milliseconds.
The hosts file in the infected machines will be modified so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 0.0.0.0, rendering them unaccessible.
The full contents of this file follow (The file is encrypted within the worms code):
0.0.0.0 engine.awaps.net awaps.net www.awaps.net ad.doubleclick.net
0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net
0.0.0.0 www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
0.0.0.0 ftp.f-secure.com securityresponse.symantec.com
0.0.0.0 www.symantec.com symantec.com service1.symantec.com
0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com
0.0.0.0 support.microsoft.com downloads.microsoft.com
0.0.0.0 download.microsoft.com windowsupdate.microsoft.com
0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com
0.0.0.0 nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
0.0.0.0 networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
0.0.0.0 www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com
0.0.0.0 www3.ca.com ca.com www.ca.com www.my-etrust.com
0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net
An additional line is added before the the date when attack against Microsoft begins:
0.0.0.0 www.microsoft.com
Which will make the site unaccessible. The 3rd of February the entry will be removed so the attack can be performed, which will probably cause some difficulties reaching it, if the DDoS is successful.
The modifications in the hosts file are probably targeted so that customers of the most widespread Anti-Virus products can't download new updates to disinfect the worm.
posted by تـــمّـــوز الـبابـلـي, ١/٢٩/٢٠٠٤
0 Comments:
| "Join this group" مجموعة العروبيين : ملتقى العروبيين للحوار البناء من أجل مستقبل عربي افضل ليشرق الخير و تسمو الحرية | ||
|
Subscribe to Arab Nationalist | |
| Browse Archives at groups-beta.google.com | ||
This work is licensed under a Creative Commons License.
Anti War - Anti Racism
Let the downFall of Sharon be end to Zionism
By the Late, great political cartoonist Mahmoud Kahil
