Mydoom.f@mm

GovernmentSecurity.org > The Archives > General Network Security

MxMx

Feb 26 2004, 09:20 AM

The W32.Mydoom.F@mm worm:

Is a mass-mailing worm that opens a backdoor on TCP port 1080
Can download and execute arbitrary files
Will perform a Denial of Service (DoS) against www.microsoft.com and www.riaa.com, if the computer's local system date is between 17th and 22nd of any month.
Sets up a backdoor in an infected system, by opening TCP port 1080. This could allow an attacker to connect to a computer and use it as a proxy to gain access to its network resources.

is this port 1080 .. the same kind of port which mydoom.A opened?
I mean .. should the exploit of MyDoom.A work also on MyDoom.F?

thanks

Samkbc

Feb 26 2004, 09:36 AM

Im not sure if it will, as its on 1080. I have tried several but none work with the mydoom.a exploit, so correct me if im wrong, but I think it doesnt work with the same exploit.

MxMx

Feb 26 2004, 10:30 AM

ur right .. ive tested it ..
mhh I think I need the source code of the .F version to compile a exploit ..

zero-maitimax

Feb 26 2004, 11:04 AM

i have lookt at the source but the veluw name's has been change.. could be that's this is the problem?

MxMx

Feb 26 2004, 11:30 AM

I just need the trojan ..
its probably another code as Mydoom.A

D3ADLiN3

Feb 26 2004, 12:33 PM

isnt 1080 the socks proxy port?

riotz

Feb 26 2004, 12:55 PM

anyone with the binary ?

flashb4ck

Feb 26 2004, 12:56 PM

mydoom had his port on 3127 not 1080 i think ;D

cecrex

Feb 26 2004, 01:54 PM

MyDoom port is 3127..

Ash

Feb 26 2004, 04:02 PM

http://symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html

Black Flag

Feb 26 2004, 11:19 PM

yeah port 1080 is default socks proxy port, so scanning for port1080 wouldn't give you many positive results. however you could probably filter them out by use of banner scanning.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Mydoom.f@mm GovernmentSecurity.org > The Archives > General Network Security MxMx Feb 26 2004, 09:20 AM The W32.Mydoom.F@mm worm: Is a mass-mailing worm that opens a backdoor on TCP port 1080 Can download and execute arbitrary files Will perform a Denial of Service (DoS) against www.microsoft.com and www.riaa.com, if the computer's local system date is between 17th and 22nd of any month. Sets up a backdoor in an infected system, by opening TCP port 1080. This could allow an attacker to connect to a computer and use it as a proxy to gain access to its network resources. is this port 1080 .. the same kind of port which mydoom.A opened? I mean .. should the exploit of MyDoom.A work also on MyDoom.F? thanks Samkbc Feb 26 2004, 09:36 AM Im not sure if it will, as its on 1080. I have tried several but none work with the mydoom.a exploit, so correct me if im wrong, but I think it doesnt work with the same exploit. MxMx Feb 26 2004, 10:30 AM ur right .. ive tested it .. mhh I think I need the source code of the .F version to compile a exploit .. zero-maitimax Feb 26 2004, 11:04 AM i have lookt at the source but the veluw name's has been change.. could be that's this is the problem? MxMx Feb 26 2004, 11:30 AM I just need the trojan .. its probably another code as Mydoom.A D3ADLiN3 Feb 26 2004, 12:33 PM isnt 1080 the socks proxy port? riotz Feb 26 2004, 12:55 PM anyone with the binary ? flashb4ck Feb 26 2004, 12:56 PM mydoom had his port on 3127 not 1080 i think ;D cecrex Feb 26 2004, 01:54 PM MyDoom port is 3127.. Ash Feb 26 2004, 04:02 PM http://symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html Black Flag Feb 26 2004, 11:19 PM yeah port 1080 is default socks proxy port, so scanning for port1080 wouldn't give you many positive results. however you could probably filter them out by use of banner scanning. This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.