News from the Lab Archive : January 2004 to September 2015

NEWS FROM THE LAB - February 2004

ARCHIVES | SEARCH

Sunday, February 29, 2004

They never stop, do they?	Posted by Mikko @ 19:11 GMT

Two new Bagle variants have been spotted. Again. Seems to be a busy weekend.

Apparently at least one of the new variants sometimes sends ZIP archives encrypted with a password - and mentions the password in the message body. The ZIP itself is variable, as the EXE inside has a random part in it. The virus tries to bypass detection of gateway / server scanners this way. Workstation products should have no problems in detecting the EXE once it is decrypted.

However, the new variants don't seem widespread at all. We should know more by Monday.

Saturday, February 28, 2004

Three new Bagle variants in less than 24 hours	Posted by Katrin @ 16:29 GMT

One more new Bagle variant - Bagle.E is spreading.
For more info see:

https://www.f-secure.com/v-descs/bagle_e.shtml

Yet another new Bagle variant is spreading	Posted by Katrin @ 15:44 GMT

Yet another new Bagle variant - Bagle.D, was found in the wild during this weekend. It is functionally similar to Bagle.C. For more info see:

https://www.f-secure.com/v-descs/bagle_d.shtml

Bagle.C went to Level 2 Alert	Posted by Mikko @ 01:21 GMT

The Bagle.C is spreading quickly. We took it now to a F-Secure Radar Level 2 Alert, but if it keeps up the pace, it might make it to the highest (Level 1) alert. Then again, weekend is looming, and email worms don't spread too well during weekends, as people don't read their email.

The previous B variant stopped spreading three days ago on the 25th. This one will stop on 14th of March. It sends random emails with a zipped EXE attachment, looking like an Excel spreadsheet:

Bagle.C worm is spreading	Posted by Katrin @ 00:08 GMT

A new variant of Bagle worm, Bagle.C was found in the wild early morning on 28th of February, 2004.

The worm is under analysis. More information will be available later:

https://www.f-secure.com/v-descs/bagle_c.shtml

Friday, February 27, 2004

Added detection and updated description for Bizex Java components	Posted by Jarno @ 14:49 GMT

Added detection that gives correct name for the Java exploit components used by Bizex, and updated Bizex description to contain a mention about the Java part.

Updated description at
https://www.f-secure.com/v-descs/bizex.shtml

Wednesday, February 25, 2004

Netsky.C	Posted by Mikko @ 20:55 GMT

Yet another new variant of Netsky was found today, and started spreading quite rapidly. So we've upgraded it to a Level 2 Alert.

Mydoom.F still gaining ground	Posted by Mikko @ 11:37 GMT

We're raising Mydoom.F to F-Secure Radar Level 2 Alert because of increased prevalence. It was found on Friday but the outbreak really started yesterday.

Tuesday, February 24, 2004

Mydoom.F gaining ground	Posted by Mikko @ 07:25 GMT

The F variant of Mydoom was found four days ago. A bit surprisingly, we've started seeing it in bigger numbers today. We're currently considering issuing a Level 2 Radar alert on it.

The F variant is important, as in addition of spreading, installing backdoors and launching DDoS attacks (like the previous variants), it also randomly deletes data files with these extensions: DOC, XLS, MDB, JPG, BMP, AVI and SAV.

Friday, February 20, 2004

New destructive Mydoom.F found	Posted by Katrin @ 11:36 GMT

A new Mydoom.F variant was found today. This one tries to attack www.riaa.com in addition to www.microsoft.com and also contains a destructive payload that deletes several file types such as pictures, movies and MS Office documents.

Currently the worm is spreading slowly.

For more information on Mydoom.F see:

https://www.f-secure.com/v-descs/mydoom_f.shtml

Wednesday, February 18, 2004

A new worm Netsky.B is currently spreading in the wild	Posted by Katrin @ 14:47 GMT

We have several reports of a new worm NetSky.B, so far mostly from Europe. The worm arrives in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders. For more information see:

https://www.f-secure.com/v-descs/netsky_b.shtml

Tuesday, February 17, 2004

Bagle.B worm upgraded to Level 1	Posted by Katrin @ 19:13 GMT

We upgraded Bagle.B worm to Radar Level 1 as it keeps spreading rapidly

Bagle.B is spreading fast	Posted by Ero @ 16:08 GMT

This new variant seems to be quite successful in spreading, details are already available in the description (The link is in the previous post).

For live infections, a disinfection tool is avaialbe at:

https://www.f-secure.com/tools/f-bagle.txt
https://www.f-secure.com/tools/f-bagle.exe
https://www.f-secure.com/tools/f-bagle.zip

New Bagle worm found.	Posted by Ero @ 12:59 GMT

Minutes ago a new variant of Bagle, Bagle.B, was found, we are currently analyzing it.

The worm is currently being analyzed, the process can be followed at:

https://www.f-secure.com/v-descs/bagle_b.shtml

Monday, February 16, 2004

Mydoom.A reached its deadline	Posted by Katrin @ 14:58 GMT

We downgraded the alert level on Mydoom.A since it reached its deadline.

The worm was programmed to stop spreading after February 12th, 2004.

Friday, February 13, 2004

Random tidbits	Posted by Ero @ 13:59 GMT

SCO has, so far, not changed its own DNS servers regarding www.sco.com.

Yet a new variant of Mimail discovered today. This one, named Mimail.U, incorporates an IRC backdoor which will allow the attacker, among other things, to download arbitrary files and run them.

Thursday, February 12, 2004

At the end of the day...	Posted by Mikko @ 21:30 GMT

It's getting late on the 12th of February. WWW.MICROSOFT.COM is still up (with some increased load though).

And WWW.SCO.COM has not been added back to DNS. As far as we can tell, this hasn't even been attempted today.

Doomhunter	Posted by Mikko @ 19:07 GMT

A virus (known as Doomhunter) that removes the Mydoom virus seems to be going around.

It removes Mydoom.A and B, completely with all files and registry keys.

After this, Doomhunter apparently starts listening on port TCP 3127 - waiting for an infected machine to try to connect to it. When this happens, it sends itself to the attacking IP through the backdoor, removes the virus and continues listening from there.

New Mitglieder exploits the Mydoom backdoor	Posted by Gergo @ 07:27 GMT

Mitglieder.H - originated from the Mitglieder trojan family - has been found in the wild. The new worm exploits the Mydoom backdoor. It comes with update, SMTP proxy and proxy reporting feature.

Details are being posted to

https://www.f-secure.com/v-descs/mitglieder_h.shtml

This seems to be the morning of Mydoom-exploiting worms.

New Welchi targets Mydoom	Posted by Gergo @ 06:14 GMT

A new variant of the Welchi worm has been found in the wild. The new variant uses several vulnerabilites (eg. RPC/DCOM, WebDAV) to spread. On computers it can infect Welchi.B checks for the presence of the Mydoom.A and Mydoom.B worms and removes them if they are found.

The analysis of Welchi.B in underway and more information will be posted to the description page at

https://www.f-secure.com/v-descs/welchi_b.shtml

It's now the 12th of February	Posted by Mikko @ 04:38 GMT

Three things related to Mydoom and Doomjuice happen today:

1) Mydoom.A expires

When an infected machine is rebooted and the date based on the local clock of the PC is 12th of February or later, the worm will stop spreading and attacking WWW.SCO.COM.

The backdoor of the worm WON'T stop - it will keep running forever.

This also means that we will most likely see an attempt by SCO during the next 24 hours to bring back the domain WWW.SCO.COM. Currently it's still not listed in DNS:

[c:\]host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)

[c:\]host sco.com
sco.com has address 216.250.128.21

2) The attack strategy of Doomjuice.A changes

The Doomjuice.A attack against WWW.MICROSOFT.COM was programmed so that it first sleeps for a random interval before launching the threads to do the attack.

If the worm is executed or an infected machine is rebooted on February 12th or later, the threads are created immediately, without waiting.

This change is not likely to be too visible.

3) Doomjuice.B attack starts

Doomjuice.B, which uses random HTTP headers in its attack, will launch the attack from today.

The WWW.MICROSOFT.COM website seems to be up and running, although there has been some slight delays on the performance lately:

We'll keep monitoring the situation.

More on the slight new variant of Mydoom.A	Posted by Mikko @ 04:15 GMT

It turned out there was a little bit more to the new variant (Mydoom.D) found on Tuesday evening than just repacking it with Petite; one of the email messages it sends has been patched to say:

"ROFL HELLO SAM HOWS UPZ. Partial message is available."

So obviously it's the work of some kid just playing with the virus and sending greetings to his friend.

Wednesday, February 11, 2004

Some details on Doomjuice sequel	Posted by Ero @ 15:45 GMT

The description can now be found from:

https://www.f-secure.com/v-descs/doomjuiceb.shtml

No major changes apart from a smaller size due to not dropping any source code, and being a bit more virulent, DDoS'ing with a number of threads ranging from 32 to 182, instead of 16 to 96 as the previus one.

No visible effects to www.microsoft.com	Posted by Mikko @ 11:08 GMT

So far, www.microsoft.com hasn't suffered any visible problems. Apparently Doomjuice.B is not too widespread. This is hard to measure, as the scanning traffic it generates is identical to Doomjuice.A.

New variant of Doomjuice found	Posted by Mikko @ 10:57 GMT

A new variant of Doomjuice worm was found two hours ago. This one also attacks against www.microsoft.com - like Doomjuice.A.

The worm attacks www.microsoft.com via http protocol like Doomjuice.A, but now it sets random HTTP headers to make it more difficult to filter out the attack traffic:

User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)
Accept-Encoding: gzip, deflate
Accept-Language: en
Accept-Language: en-us

Over 50,000 computers are scanning...	Posted by Mikko @ 04:55 GMT

The amount of source IP addresses for port 3127 scans (ie. infected computers) was above 50,000 on Tuesday as measured by Incidents.org.

Tuesday, February 10, 2004

Slight new variant of Mydoom.A found	Posted by Mikko @ 18:11 GMT

Today someone has taken the original Mydoom.A worm, unpacked the UPX packing and repacked it with Petite - and distributed the end result.

End result: a worm which is functionally identical to original Mydoom but which might be missed by some antivirus programs. We don't...F-Secure actually detects this as Mydoom.A by default.

Some other antivirus programs might detect it as Mydoom.D.

Holding steady	Posted by Mikko @ 15:58 GMT

Microsoft's web site seems to operating fine, and there's no reason to think that wouldn't last - at least until Thursday the 12th of February, when the DDoS attack of the Doomjuice worm changes slightly.

Filtering web access which not from web browsers seems to work fine to protect the site. Unfortunately, we can expect to see future viruses launch similar attacks with some generic "User-Agent: Mozilla" string.

The number of scans for port 3127 are steadily increasing at incidents.org.

How widespread is Doomjuice?	Posted by Mikko @ 07:24 GMT

We'd estimate the number of infected machines to be in tens of thousands around now.

This is based on the number of different IP addresses we see scanning the net for open ports 3127. This can be monitored from public services such as incidents.org. They saw 30878 source addresses on Monday for such scans...and obviously they only see part of the net.

PS. Like Mydoom.A and B, the Doomjuice worm is programmed in C. We even have a picture of a snippet of the Mydoom.A source code in the virus description.

Jigsaw Piece - 025	Posted by Mikko @ 04:37 GMT

Intermittent performance spikes	Posted by Mikko @ 04:11 GMT

The performance of www.microsoft.com continues to have smaller on-and-off spikes, depending on the monitoring station - as visible in this image:

More graphs from Rommon.

User Agents	Posted by Mikko @ 03:44 GMT

Netcraft notes in their News sections that technicians at www.microsoft.com have modified their web server to stop serving requests without User-Agent headers, apparently because DDoS requests do not have these headers while normal web browsers do.

We've also received reports that MSN Messenger service has had login problems.

Monday, February 9, 2004

More information on Doomjuice	Posted by Mikko @ 22:05 GMT

We've posted a public notice on the Doomjuice case to our News section.

To quote: The motivation to distribute the source code of Mydoom.A seems to be simple. The authors know the police is looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive - without knowing it.

Graphs on the new attack	Posted by Mikko @ 19:51 GMT

Some statistics on performance of www.microsoft.com are becoming available.

The spike apparently caused by the attack is clearly visible in Rommon graphs.

New worm found	Posted by Mikko @ 19:35 GMT

A new and related worm has been found today. Doomjuice worm infects machines which are already infected by Mydoom.A. It does not spread over email at all.

Doomjuice launched an attack against www.microsoft.com, which might be responsible for the problems we mentioned earlier today.

More information on Doomjuice from F-Secure and LURHQ.

Strange problems with www.microsoft.com?	Posted by Mikko @ 14:31 GMT

According to statistics at Netcraft, www.microsoft.com has been unexcpectedly offline for several hours today.

There has been discussions on whether this had something to do with Mydoom.B, but we have no reason to suspect a connection here.

Jigsaw Piece - 018	Posted by Mikko @ 14:31 GMT

Thursday, February 5, 2004

One Week to Go	Posted by Mikko @ 07:58 GMT

We now have seven days to go until the programmed expiration date of Mydoom.A. On the 12th of February it should stop both spreading and attacking www.sco.com. Most likely SCO will try to bring the site back online around that time.

Also, SCO seems to have also taken www2.sco.com out of DNS:

   [c:\]host www2.sco.com
   Host www2.sco.com not found: 3(NXDOMAIN)

   [c:\]host www.sco.com
   Host www.sco.com not found: 3(NXDOMAIN)

   [c:\]host sco.com
   sco.com has address 216.250.128.21

Tuesday, February 3, 2004

Monitoring the Net	Posted by Mikko @ 13:58 GMT

Two more places where you can monitor technical statistics on the sites related to the Mydoom attacks:

http://www.rommon.net/rm-bin/mainmenu.pl?dbname=hunt;groupname=mydoom;mode=realtime
http://uptime.netcraft.com/perf/reports/sco-alert@netcraft.com

The Microsoft site continues to be available OK.

Mydoom.B - No Visible Effects	Posted by Mikko @ 08:12 GMT

It's now the 3rd of February – the activation date of the Mydoom.B variant. As forecasted, the attack has had no visible effects against www.microsoft.com.

If the B variant would have become as widespread as A, this attack would have been very serious even against such a massive (and Akamai-hosted) site as www.microsoft.com. But it didn't.

Monday, February 2, 2004

No Changes	Posted by Mikko @ 14:31 GMT

The attack is still going on. In fact, the number of attacking computers is constantly increasing, as infected corporate PCs are being booted after the weekend.

This doesn't make any difference to the end result, as www.sco.com is not online, and probably won't be coming back until February 12th.

Tomorrow, the 3rd of February, the Mydoom.B variant will start to attack www.microsoft.com – but as this variant is not widespread, we don't expect this to have any real effects. Microsoft won't be going down.

SCO Started a New Site	Posted by Mikko @ 07:00 GMT

What we excepted to happen already last week happened: SCO announced an alternative domain name: www.thescogroup.com. Currently also domain sco.com has been changed to point to the same IP address (216.250.128.21). This site seems to be operating fine.

As such, this domain is not new and has been operating already in fall of 2002. But apparently it's now the official address of SCO. Also notice that the domain thescogroup.net hosts a site opposing the actions of SCO.

Sunday, February 1, 2004

One More Note	Posted by Mikko @ 21:00 GMT

One more note: it seems that SCO has dropped www.sco.com from DNS, meaning that it's not possible even in theory to connect to their website any more.

[c:\]host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)

[c:\]host www2.sco.com
www2.sco.com has address 216.250.128.33

[c:\]host sco.com
sco.com has address 216.250.128.12

[c:\]host ftp.sco.com
ftp.sco.com has address 216.250.128.13

End of Log for Today	Posted by Mikko @ 19:45 GMT

We'll call it a night for now. The www.sco.com website is down and will stay down for now as a result of this large-scale attack.

Thanks for all the feedback we've received from you today. As always, you can reach us at: ~~viruslab [at] f-secure.com~~.

Editor's Note: Weblog [at] F-Secure [.] com.

Effects to the Rest of the Net	Posted by Mikko @ 16:00 GMT

As the attack started by Mydoom is a simple overload-the-website attack, it should have very little effects to the rest of the net. This simply is an extreme case of "slashdotting", where a site gets suddenly its traffic increased massively, overloading the server. And it will continue until 12th of February, as the worm has been programmed to stop its operations then.

Another site that is monitoring the attack can be found from Keynote Systems.

News coverage at CNET.

Size of This Thing	Posted by Mikko @ 12:30 GMT

We estimate the total amount of infected computers to be over one million. Of those, only the computers that have been rebooted (or infected) today are actually attacking.

This is the biggest single DDoS attack ever.

Monday, February 2, 2004

Jigsaw Piece - 008	Posted by Gergo @ 10:52 GMT

Sunday, February 1, 2004

Jigsaw Piece - 007	Posted by Gergo @ 12:59 GMT

Images from the Attack	Posted by Ero @ 10:24 GMT

The following images present the page retrieval times for different URLs related to SCO.

1 – www.sco.com retrieval times:

2 – ir.sco.com retrieval times:

3 – www.sco.com/ibmlawsuit/ retrieval times:

www.sco.com Status	Posted by Ero @ 10:11 GMT

Netcraft is providing up to date information on the status of the attack at this location.

Comments from SCO are available via this URL.

It's Sunday	Posted by Mikko @ 08:05 GMT

F-Secure has been logging performance data for www.sco.com since last Tuesday – pretty much as soon as we found the attack code from the worm. We will be posting some graphs on this later today when things should get more interesting.

Also, there's more information on previous and current DDoS attacks on sco.com at Netcraft's News Section.

P.S. Right now www.sco.com seems to be unreachable from at least two of our monitoring points.