MyDoom.C, conosciuto anche come Doomjuice, sarebbe responsabile di alcuni malfunzionamenti verificatisi sui server Web di Microsoft fra domenica pomeriggio e lunedì mattina.
A differenza delle precedenti, la nuova versione del virus non si diffonde attraverso la posta elettronica né apre una backdoor sul computer eventualmente infettato, ma effettua una scansione dei computer connessi in rete alla ricerca di una porta 3127 (TCP) aperta e "in ascolto": una volta individuato un computer con le giuste caratteristiche trasferisce una copia di se stesso nella cartella Windows del PC bersaglio - sotto il nome intrenat.exe - e crea inoltre più copie di un file denominato sync-src-1.00.tbz in diverse sottocartelle del disco fisso.
"The risk presented by Mydoom.C needs to be tempered with the fact it is easily foiled by protection available from as early as two weeks ago. The fact the worm preys on existing Mydoom infected computers is much like a flock of vultures circling around an unfortunate soul about to succumb to the elements in that it is picking through scraps," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc. of Islandia, N.Y.Fonte: eWeek.
"A better takeaway from this low-risk threat, is that computer users cannot treat the risk from malware as an episodic situation based on a specific virus event," Hameroff continued. "Instead, they need to treat the cause, be it social engineering or outdated virus definition updates, not an individual flare-up."
However, iDefense was pessimistic on the outlook for controlling MyDoom.C. Company officials said, "Mydoom.C has the potential of spreading to 500,000 or more computers easily in the first week, hijacking Mydoom.A infected computers."
MyDoom.C does have the ability to launch a denial-of-service attack against Microsoft's main Web site, which experienced some severe performance problems overnight Sunday and again Monday morning, according to data compiled by Netcraft Ltd. If the worm is started between Feb. 8 and Feb. 12, it starts a thread that sleeps for a random amount of time and then spawns 80 threads that begin requesting pages from Microsoft.com at once. MyDoom.C does not try to attack The SCO Group's Web site, however, as the two previous versions did.
Nessun commento:
Posta un commento
Nota. Solo i membri di questo blog possono postare un commento.