Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
| Google search is down
Being discussed over in the General Questions forum. Possible issue with MyDoom causing problems with Google.com not being able to resolve host names.
© 1995-2004 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
W32.Mydoom.M@mm
Discovered on: July 26, 2004
Last Updated on: July 26, 2004 04:10:53 PM
W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email.
The worm is packed using UPX.
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX
Virus Definitions (Intelligent Updater) *
July 26, 2004
Virus Definitions (LiveUpdate™) **
July 26, 2004
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Threat Metrics
Wild:
Medium
Damage:
Medium
Distribution:
High
Damage
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Yes
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
When W32.Mydoom.M@mm is executed, it performs the following actions:
Copies itself as:
%Windir%\java.exe
%Windir%\services.exe
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Adds the values:
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that it will load when Windows starts.
May create the following files for logging purposes:
%Temp%\zincite.log
%Temp%\[randomly named file].log
Attempts to copy itself to all folders whose names contain the following strings:
USERPROFILE
yahoo.com
Gathers email addresses from files with the following extensions:
.doc
.txt
.htm
.html
When the worm finds an open Outlook window, it will attempt to send itself to email addresses it found.
The email has the following characteristics:
From:
The From address will be spoofed.
Subject: (One of the following)
say helo to my litl friend
click me baby, one more time
hello
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
Body:
The message body will be as follows, where one of each phrase/word in brackets will appear:
Dear user {[To address of mail]|of [domain of To address]},{ {{M|m}ail {system|server} administrator|administration} of [domain of To address] would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{[domain of To address] {user |technical |}support team.|The [domain of To address] {support |}team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within [random number] days:
{{{Mail s|S}erver}|Host} [host used to send mail] is not responding.
The following recipients {did|could} not receive this message:
Please reply to postmaster@{[domain of From address]|[domain of To address]}
if you feel this message to be in error.
The original message was received at [current time]{
| }from {[domain of From address] [[host used to send mail]]|{[host used to send mail]|[[host used to send mail]]}}
----- The following addresses had permanent fatal errors -----
{|[To address of mail]}
{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server ||||}{[domain of To address].|[host used to send mail]}:
{>>> MAIL F{rom|ROM}:[From address of mail]
... {Mail quota exceeded|Message is too large}
554 ... Service unavailable|550 5.1.2 ... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [[host used to send mail]] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
Session aborted{, reason: lost connection|}|>>> RCPT To:
... {User unknown|Invalid recipient|Not known here}}|>>> DATA
{ Run.
Type regedit
Then click OK.
Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"
Exit the Registry Editor.
Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."
Write-up by: John Canavan
--
One man's customer loyalty is another man's miguided arrogance. |
|
LazyTT
Premium
join:2003-08-10
Brooklyn, NY | has this ever happend b4? |
|
djtim21
It's all good
Premium
join:2003-12-22
Buffalo Grove, IL
clubs:
| reply to Greg_Z
I have no problem contacting this site, or doing a search on googles site. Maybe it is an issue with your ISP and it slowing down their DNS servers? or even slowing down your ISP connection with the amount of traffic?
There could be alot of different factors on this one. |
|
sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs: | reply to Greg_Z
I've been doing Google searches all morning with no problems.
sash  |
|
B
Premium,MVM
join:2000-10-28
| reply to djtim21
Interesting. Apparently Google is purposely limiting certain searches due to this issue. (I don't think they have a "problem" resolving anything; they're just trying to limit the damage of the worm.)
If a domain is popular for e-mail address fishing (hotmail.com) Google displays the above right now. For other domains it works as usual.
Too bad really, for legitimate searchers.
-- B
--
In a realm outside causality and function |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
2 edits | reply to Greg_Z
I ran through all of these with only two areas not accesible:
»www.google.com/options/ some functions out here
»www.google.com/help/operators.html
»froogle.google.com/
»news.google.com/
»www.google.com/help/features.htm···initions - Glossary appears down
»labs.google.com/gviewer.html - Viewer appears down
»images.google.com/webhp?tab=iw&q···-8&hl=en
»www.google.com/advanced_search
»groups.google.com/
»www.google.com/microsoft.html
»groups.google.com/options/universities.html
»www.google.com/help/features.html#calculator
»images.google.com/imghp?hl=en
»labs.google.com/
»www.google.com/language_tools
»www.google.com/options/defaults.html
»labs.google.com/sets
»dmiessler.com/study/google/index.html (in answer to B  - this is in my Google "how-to," and not on Google.)
»labs.google.com/cgi-bin/webquotes
--
Security Forum FAQs ..♥.. AV Complaints? ..♥.. Raj karega Khalsa! ..♥.. SP2 News |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| I just did a google search and it worked fine for me.
Is there actual evidence that Mydoom is responsible? So far none of the writeups I've read on the worm mention anything about it affecting Google. But then since other Mydoom variants have had DDoS attack code within them, maybe this one does too? Maybe I should dismantle my sample and take a look see...
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
B
Premium,MVM
join:2000-10-28 | reply to Sparrow
Uh, that list doesn't have much to do with it -- it's Google search results that are at issue. (And one of your tests is NOT on Google's domain!)
-- B
--
In a realm outside causality and function |
|
B
Premium,MVM
join:2000-10-28
1 edit | Guys, bmw left out the link to the other thread, where more explanation is available:
»Google issues (search down?)?
Brand new Slashdot thread at »slashdot.org/articles/04/07/26/1···17&tid=1
-- B
--
In a realm outside causality and function |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to Greg_Z
Could this have some bearing?
"Cross Site Scripting (XSS) on Google, Altavista ,Excite.com,Yahoo etc"
»seclists.org/lists/fulldisclosur···128.html
"There is a XSS vulnerability to all the major search engines
,and not only, web sites. To be honest the following is a very
small list of the "funny" XSS vulnerability that people dont
pay the needed attention. The XSS vuln is inherited to anyone who is
using these search engines, often there is no need to try and find
a flaw in their web service directly but you can have the same
result with indirect digging.
In the following list the most usual approach is javascript
poisoning inside the tag. Search engines (and not only)
tend to do input/output validation on the searched keyword
only inside and not before, so there you go ,
you just have to do and write your stuff, or
sometimes not even that..."
Cudni
--
Would you Adam and Eve it?
Help yourself so God can help you..it does exactly what it says on the sig |
|
Fobulous
Premium
join:2002-08-14
Missouri City, TX
clubs: | reply to Greg_Z
Google search is still down at 1:00pm CST |
|
Murray3
join:2001-03-06
Texas
| said by Fobulous :
Google search is still down at 1:00pm CST
Not where I'm at. Google working fine here.
Guess this is a geographically-based issue. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Greg_Z
Problems hit Google's UK service
Only some UK users seem to be affected
Staff at net search engine giant, Google, are trying to find out why its UK website is not working properly.
Google in the UK confirmed that a number of users were experiencing problems with the service.
A US-based net security firm, Sans Institute, says the problems are being caused by a new variant of the MyDoom computer virus.
The search engine is one of the most popular on the net, dealing with 200 million global queries a day.
Huge index
First reports of the problems with the UK service started emerging at around 1530 GMT (1630 BST).
Instead of getting a page of results, some users have been confronted with a server error instead. It is not yet clear how widespread the problem is.
Sans chief technical officer, Johannes Ullrich, told the BBC it appeared that the search engine was being overwhelmed by requests generated by the MyDoom virus.
Google is one of several search engines used by MyDoom to find valid e-mail addresses on the net. Past versions of the virus only searched a user's own computer or address list.
He added that some US users were also being affected.
The MyDoom-O variant spreads in the form of an e-mail attachment.
The attached message pretends to be from the user's net provider's or company's support team saying that their PC has been used by hackers to send spam.
"This worm plays on that fear and pretends that users have already been hacked and exploited by spammers," said Graham Cluley, senior technology consultant for anti-virus firm Sophos.
"All computer users should keep their anti-virus up-to-date and ensure they never launch an unsolicited e-mail attachment."
»news.bbc.co.uk/2/hi/technology/3927963.stm
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
NexusUK
join:2004-06-22
United Kingd
| reply to Murray3
Sky News UK are reporting it as a part of a "wider" issue stating that a"internet" monitor is reporting a slowdown across the net.
Now i am over the road from sky headquarters and i have no issues at all with google. everything fine with .uk .com even .fr
is this related to internet explorer only? |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| said by NexusUK :
Sky News UK are reporting it as a part of a "wider" issue stating that a"internet" monitor is reporting a slowdown across the net.
Now i am over the road from sky headquarters and i have no issues at all with google. everything fine with .uk .com even .fr
is this related to internet explorer only?
No. It does not matter what browser you are using, MyDoom is using Windows vulnerabilites on unpatched machines connected to the web.
--
One man's customer loyalty is another man's miguided arrogance. |
|
P Ness
You'Ve Forgotten 9-11 Already
Premium
join:2001-08-29
Mineola, NY
clubs: | reply to sashwa
Maybe someone did not like the $130.00 a share price of the IPO? |
|
dp
Go Steelers
Premium,MVM
join:2000-12-08
Greensburg, PA
 ·Verizon Online DSL
| reply to sashwa
said by sashwa :
I've been doing Google searches all morning with no problems.
sash
Ditto here, no problems so far today.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs:
·Comcast
·Alameda Power & Te..
Host:
Broadband Modem (H..
MSN
DSL Extreme
Windstream
Southeast Asian Br..
| Well you answered my question...lol. dadkins and I were wondering if this was an East Coast problem but you're in PA so I guess not.
sash
--
Visit the San Francisco Bay Area Forum |
|
kw
Premium
join:2004-06-12 | reply to Greg_Z
It seems to be blocking stuff with 'mail'.com in them.
It blocked:
apexmail.com
mail.yahoo.com
hotmail.com
but let
'something.com'
...google's crazy..
--
Chuck Norris is stupid. |
|
evilpeppard
Always Fight For Freedom
Premium
join:2003-08-20
Aurora, CO
clubs:
| reply to Greg_Z
Google Search Error |
 |
|
