MyDoom (was: Test)

Mark Komarinski mkomarinski at wayga.org
Mon Feb 2 10:52:28 EST 2004


On Mon, Feb 02, 2004 at 10:33:50AM -0500, bscott at ntisys.com wrote:
> > On Sun, 2004-02-01 at 16:06, jabr at blu.org wrote:
> > > Mail transaction failed. Partial message is available.
> 
> On Sun, 1 Feb 2004, at 11:04pm, jeff.macdonald at virtualbuilder.com wrote:
> > Is this the MyDoom worm/virus?
> 
>   Yup.
> 
>   It is worth pointing out that, like most such malware, the MyDoom worm
> forges the "From" address.  Whatever address is given in the "From:"  line
> is almost certainly not the address of whoever owns the computer that is
> actually compromised.  Thus, sending auto-responses to malware messages is
> especially frowned upon.

SPF would prevent a lot of this from happening, strangely enough.  The
mail would be rejected or intercepted as spam before it even hit outlook.
Too bad TZO has no plans to support it in their records.

>   It is also worth pointing out that MyDoom is a trivial worm.  It does not
> exploit any software flaws or require any special privileges.  It depends on
> the user to extract and run the program, and all the attachment does is
> harvest email addresses and mail itself to those addresses.
 
It makes up email addresses too (I have to periodically clean out my
exim mail queue)

>   The reason this is significant is that there is absolutely no technical
> reason that this worm could not exist in the Macintosh or Unix worlds.  A
> simple Bourne shell script would likely suffice.  This is not a technology
> program, but an education problem.  As long as people are in the habit of
> blindly believing whatever is emailed to them, this problem will exist.

For now I think it would be technically hard for this to happen.  I think
the greater danger is having some bit of OSS code be released that has
a trojan in it intentionally from the author.  This is one of the reasons
that I prefer getting code prepackages from a distribution than rolling
my own.  But not all the software I use is available this way.

-Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20040202/f0573f13/attachment.bin


More information about the gnhlug-discuss mailing list