NEWS FROM THE LAB - Wednesday, August 18, 2004

Payload deactivated Posted by Mikko @ 10:46 GMT

We've received confirmation that the two websites used by Mydoom.S (richcolour.com and zenandjuice.com) have been cleaned and can't be used by the worm any more.

This means that when Mydoom.S infects system, it will still be able to spread further via email...but it will fail in downloading a spam proxy to the infected systems. Then again, if you we're hit by this proxy trojan already, you wouldn't be reading this anyway, as it blocks access to www.f-secure.com from the infected computers.

Rich, the webmaster for http://www.richcolour.com emailed us last night and confirmed he had taken down the files Mydoom.S downloads from his server. He was also surprised that no-one else had contacted him and warned him that his site was taken over. We discussed how the files might have ended there in the first place.

Our guess before that had been that the bad boys had gained access to richcolour.com and zenandjuice.com via vulnerabilities in the web-based guestbooks they were running, as some of the files had been planted to paths such as /guestbook/temp/.

So, when Rich confirmed that he was running a guestbook called "Achims Guestbook", we visited the homepage for this software:

Achim website

So I guess we've found out how the spam proxy files were planted.

Mydoom.S won't install proxies anymore, but it still continues to spread...until next Friday. The email-spreading function will expire on August 20th, 2004.

In other news: Netsky.P is no longer the most common virus. It dropped to #2 slot in our virus statistics some time last night...getting replaced with Zafi.B. Netsky.P possessed the "most common virus in the world" title for over four months, from early April 2004.