Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Author signs MyDoom virus 629

Mikoca writes "Information Week carries the story of how its author signed it "andy" and left the message "I'm just doing my job, nothing personal, sorry." Thanks, Andy!"
This discussion has been archived. No new comments can be posted.

Author signs MyDoom virus

Comments Filter:
  • HEY! (Score:4, Funny)

    by Anonymous Coward on Tuesday February 03, 2004 @09:22AM (#8168391)
    i know a guy named andy.

    im gonna turn him in for fun and profit

    and

    FP!
    • Re:HEY! (Score:5, Funny)

      by musicscene ( 453302 ) * <gonzo@musicsc[ ].org ['ene' in gap]> on Tuesday February 03, 2004 @09:24AM (#8168405) Homepage Journal
      Not before I turn in my pal Andy first... what if he's the same guy? Split it with you.
    • Hey, what about this guy ? [commando.com]
    • by timjdot ( 638909 ) on Tuesday February 03, 2004 @10:30AM (#8169059) Homepage

      Tried to search for more info and came across the 1992 Doom2 virus: http://www.sophos.com/virusinfo/analyses/doom2.htm l

      I am curious about these viruses. Are they "evolving" from older viruses? Seems like some fun research to find algorithms to track this evolution and predict/detect he next one.

      Any links?
      • by anotherone ( 132088 ) on Tuesday February 03, 2004 @12:11PM (#8170481)
        That virus and MyDoom have nothing in common besides a substring of characters. "Doom" is a common english word. Computer viruses do not "evolve."

        Someone wrote the Doom2 virus, and someone else wrote the MyDoom.A virus. Someone else entirely modified the MyDoom.A virus to create the MyDoom.B virus. There is no way to "find algorithems to track this evolution" because it does not exist.

  • by swordboy ( 472941 ) on Tuesday February 03, 2004 @09:23AM (#8168395) Journal
    The next version of Redhat Linux will be code named, "Andy". Because, afterall, MyDoom = Linux.
  • Lest I not have a job anymore. :)
  • well.. (Score:5, Interesting)

    by gl4ss ( 559668 ) on Tuesday February 03, 2004 @09:24AM (#8168403) Homepage Journal
    "" "If he's really sorry, then why did he release it," said Michele Morelock, technical support leader at anti-virus software maker Sophos Inc. "I would imagine it's much more tongue-in-cheek than saying I'm really sorry for releasing it." ""

    maybe he just got an offer he couldn't refuse...

    i'm sure somebody will say that darl had himself made that offer :)
    • Re:well.. (Score:5, Funny)

      by wizarddc ( 105860 ) on Tuesday February 03, 2004 @09:46AM (#8168616) Homepage Journal
      i'm sure somebody will say that darl had himself made that offer :)


      You just fulfilled your own self fulfilling prophecy, young man. Excellent work.
      • well that was just to avoid the flames and to stop people from posting that "it surely was darl and that guy was the last of sco's coders".

        as to the russian references there's not much evidence about it either, nor do I think there ever will. how hard it can be to find a computer .ru that's backdoored by some earlier virus to use for the initial distribution and seemingly be of russian origin?
    • I work for a company and dont always have the choice to release or not. his boss just ordered him.
      • Re:well.. (Score:4, Interesting)

        by mark-t ( 151149 ) <marktNO@SPAMnerdflat.com> on Tuesday February 03, 2004 @10:19AM (#8168960) Journal
        That's bullshit.

        He can always say no.

        Of course, he might be risking getting fired for saying it.

        Personally, I'd rather be unemployed than be paid by someone with the ethics to deliberately release software like this.

        Of course, where I live, I'd be paid a reasonable sum for turning the guy in (presumably there would be _some_ sort of paper trail that could be used as evidence... and if there wasn't, what reason would there even be to *START* on the project?). And that would give me some money to live on while I searched for a different job.

        Hmm... now that I think about it, how would this go in an interview...? "Why did you quit your last job?" "My boss asked me to do something that was illegal." You know... I have no idea how the interviewer might respond to that... I could see it going either way.

    • I am sure (Score:5, Funny)

      by roman_mir ( 125474 ) on Tuesday February 03, 2004 @09:57AM (#8168710) Homepage Journal
      it was Darl. He made the offer.

      Look, all signs point to 'Yes'.

      ANDY = 65 78 68 89

      (fill out your own steps in the middle...)

      DARL = 68 65 82 76

      • by jandrese ( 485 ) * <kensama@vt.edu> on Tuesday February 03, 2004 @10:06AM (#8168807) Homepage Journal
        Hmm, lemme check.
        **** THE PROOF THAT Darl IS EVIL ****

        D A R L
        4 1 18 12 - as numbers
        4 1 9 3 - digits added
        \_/ \_/ \_/ \_/
        4 1 9 3 - digits added

        Thus, "darl" is 4193.

        Subtract 1776, the year masonry founded Phi Beta Kappa. The result
        will be 2417.

        Add 1912, the year Theodore Roosevelt was shot - the result is 4329.

        Add 39, the symbol of disease - the result is 4368.

        Turn the number backwards, and add 3 - the symbol of fulfillment. The
        number is now 8637.

        Subtract 1904, the year Oppenheimer, the man who created the atomic
        bomb, was born. The result will be 6733.

        This, when read backwards, gives 3376. This is 1790 in octal, the year
        US patent system was established (eevil)...

        Evil, QED.
        Thanks to: Michal Zalewski
      • by roystgnr ( 4015 ) <`gro.srengots' `ta' `yor'> on Tuesday February 03, 2004 @10:15AM (#8168911) Homepage
        (fill out your own steps in the middle...)

        ANDY
        HANDY
        HARDY
        HARD
        CARD
        CARL
        DARL

        Yup, your story checks out.
    • by swb ( 14022 ) on Tuesday February 03, 2004 @10:10AM (#8168852)
      maybe he just got an offer he couldn't refuse...

      With all the stories about viruses (like MiMail) being backdoors for spammers, how likely is it that organized crime has gotten involved in the computer crime business? It fits their uh, business model, pretty well -- lots of opportunity for stealing credit card info, bank info, etc. And it's not like Tony Soprano has to learn Visual Basic, either -- there's plenty of people who would either do this on their own and sell stolen info to the Mob.

      One of the things they could do is start a generic programming business and hire a dozen or so coders and have them start working on a fairly generic database system. Have a manager type get to know them and figure out which might have money problems, drug problems or some other vulnerability. Once you get them 'snared', you can get them to write a trojan app, phishing site, what have you -- the Mob maintains arm's length deniability and reaps the profits.

      It's been widely reported that organized crime has been deeply entrenched in Wall Street and the securities industry -- how different is the securities boilerroom from a trojan/programming boilerroom? Maybe I'm naive and they've been at this since day one, but it wouldn't surprise me if it wasn't another white collar angle for organized crime.
  • by NMerriam ( 15122 ) <NMerriam@artboy.org> on Tuesday February 03, 2004 @09:25AM (#8168419) Homepage
    Hey, he didn't go to four years of Evil Computer Science school just to write another CMS.
  • I can't get to the article, but wasn't there a reward for turning in the guy that wrote it? Maybe he was trying to turn himself in for the reward money. =)

  • by musingmelpomene ( 703985 ) on Tuesday February 03, 2004 @09:26AM (#8168425) Homepage
    So now we're looking for anyone NOT named Andy, because even someone as stupid as a virus-writer wouldn't be so dumb as to put their real name on something this destructive.
  • Andy... sure! (Score:4, Interesting)

    by 192939495969798999 ( 58312 ) <infoNO@SPAMdevinmoore.com> on Tuesday February 03, 2004 @09:26AM (#8168426) Homepage Journal
    I imagine lots of people in eastern bloc countries name their children "Andy". Plus, Andy is just a first name, it's not like s/he listed their home address or an IP or something like that. Still, it is interesting that they said this was just "their job"... organized crime hacking, perhaps?
    • Re:Andy... sure! (Score:5, Informative)

      by adamvjackson ( 607836 ) on Tuesday February 03, 2004 @09:31AM (#8168482)
      I subscribe to an email list from www.insecure.org, as I'm sure several of us /.'ers do. Anyway, recently there was an article that summarized that according to the FBI, quite a lot of viruses, worms, and spam can supposedly be traced to organized crime. Apparently Eastern Europe seems to be a hub for this activity, according to that report.
      • I hear that as well, and especially in the smaller-scale stuff -- this is the most sophisticated virus attack I've seen since the Michelangelo virus that came in prepackaged software. Is there any direct evidence on this particular attack as to its origin, or are they just guessing still (publicly)?
  • sorry for what (Score:5, Insightful)

    by mr_tommy ( 619972 ) <(moc.liamg) (ta) (mahargt)> on Tuesday February 03, 2004 @09:26AM (#8168428) Journal
    This guy isn't sorry. Sticking in things like this merely give the virus more media attention, and diverts attention from the real issue here : insecurity, and user failure to patch up.
    • Re:sorry for what (Score:5, Insightful)

      by leifm ( 641850 ) on Tuesday February 03, 2004 @09:47AM (#8168621)
      What exploit does MyDoom take advantage of, other than user stupidity?
      • by Kenja ( 541830 ) on Tuesday February 03, 2004 @10:17AM (#8168929)
        User stupidity is the bigist security hole there is. It is often exploited and east to patch with a ballpen hammer.
      • Re:sorry for what (Score:5, Insightful)

        by sweatyboatman ( 457800 ) <sweatyboatman@NosPaM.hotmail.com> on Tuesday February 03, 2004 @10:21AM (#8168978) Homepage Journal
        MyDOOM takes advantage of the user's ability to run executables directly from his/her email client.

        why would you ever want to do this? i can't even think of the last time I got an executable attachment that wasn't a virus.

        all email programs should disable the feature that allows you to double click on an icon and launch a virus. because:
        A) no one needs a "feature" like this. Save to Disk and then run if neccesary.
        B) icons are designed to be clicked. as desktop users, we're trained to click on things. it's how we interact with our computer.
        C) a warning dialog after the double-click is useless. The person has already decided to run the program, to them it just seems like annoying interference from their stupid computer.
        • Re:sorry for what (Score:4, Interesting)

          by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Tuesday February 03, 2004 @10:41AM (#8169210) Homepage Journal
          Plenty of people have been infected with MyDoom after saving and subsequently running the executable. Nice try though.
        • Re:sorry for what (Score:3, Interesting)

          by rar ( 110454 )
          As many other has commented, the ability to click-and-run executables from the email clients is not the only reason for virus/worms spreading. Even with only 'save to disk' functionality, people will still run these binaries.

          It is often said that what users fail to understand is that they should not run "untrusted binaries". But in my opinion this is the greatest shortcoming of all modern operating systems. I want my operating system to shield resources beloninging to one binary from another. Much in the s
        • Re:sorry for what (Score:4, Informative)

          by jred ( 111898 ) on Tuesday February 03, 2004 @12:08PM (#8170428) Homepage
          It's not just executables. I know a user whose email server blocks all executable attachments. But you see, they received a zip file. Try this scenario:

          Oh, an email from... me? I didn't send myself an email. I think I'll open it. What's this? A zip file? I don't recognize it. Hmm, I think I'll open it. Aha! There's a program here that I've never seen before. I wonder why I zipped it up and emailed it to myself. I guess I better run it...

          Yes, in case you were wondering, this *actually* happened. I don't think MS could do anything to protect users such as this. I suppose they *could* run Knoppix or something, at least until more Linux viruses are floating around.
  • Oh man! (Score:5, Funny)

    by El Camino SS ( 264212 ) on Tuesday February 03, 2004 @09:26AM (#8168429)
    Aunt B. is going to be pissed about this one.

    "AAAANNNDDYYYYYYYY!"
  • Arrest all people named Andy. Use the excuse that Andy is the rough English translation of Al-Quieda!
  • Real Player (Score:5, Funny)

    by enkafan ( 604078 ) on Tuesday February 03, 2004 @09:27AM (#8168435)
    I wonder if you search the code for Real Player the developers are apologizing throughout.

    I'm sorry I buried these options on the listbox,
    I'm sorry I'm popping up this on the screen,
    I'm sorry I'm forgetting the setting to not start on start up, etc.
  • Worse than spam (Score:2, Insightful)

    by ericwb ( 126929 )
    Thanks, Andy for 30 messages per day of ~30 ko, not to mention all the "transaction failed" pseudo-return messages and what not. Waste of time, energy and bandwidth.
  • by WhatAmIDoingHere ( 742870 ) <sexwithanimals@gmail.com> on Tuesday February 03, 2004 @09:28AM (#8168451) Homepage
    The slashdotters replied to the server about taking it down: "We're just doing our job, nothing personal, sorry."
  • Obviously the worm was written by someone connected with the Debian organization.
  • Is this evidence? (Score:2, Interesting)

    by joel2600 ( 540251 )
    Perhaps this is the evidence that finally brings to light that people working for software and/or hardware corporations are writing viruses because many average computer users will never be able to get rid of them forcing them or encouraging them to buy new machines.

    Maybe Andy really is just doing his job!
  • by ad0le ( 684017 ) on Tuesday February 03, 2004 @09:30AM (#8168464)
    The MyDoom variant that joined the original virus in wreaking havoc on the Internet last week contains a cryptic message in which the author appears to apologize for the malicious code, security experts say.

    The creator of what anti-virus experts say is the fastest spreading virus ever on the Internet signed MyDoom and MyDoom.B with "andy," and left the following message in the latter version: "I'm just doing my job, nothing personal, sorry."

    "Our interpretation is that he's apologizing to the general public," Jimmy Kuo, research fellow at anti-virus software maker Network Associates Technology Inc., said Friday. "Our guess is that someone is paying him to write this thing."

    Both MyDoom versions install a "back door" in infected PCs, enabling hackers to commandeer the machines to send spam, launch denial of service attacks, or perform other nefarious acts.

    Some experts, however, doubted the sincerity of the apology. Many virus writers leave cryptic messages in their code to tease investigating authorities and to pat themselves on the back for their handiwork.

    "If he's really sorry, then why did he release it," said Michele Morelock, technical support leader at anti-virus software maker Sophos Inc. "I would imagine it's much more tongue-in-cheek than saying I'm really sorry for releasing it."

    The MyDoom virus launched a denial-of-service attack early Sunday that crippled SCO Group's Web site with hundreds of thousands of requests, an SCO spokesman said. The attack is programmed to continue on the company's Web site until Feb. 12, according to messages left inside the virus' code.

    But the spokesman said SCO will unveil a contingency plan Monday for customers to access the site. He declined to discuss those plans, citing hackers.

    MyDoom.B also prevents infected computers from accessing the Web sites of Microsoft and many anti-virus software makers, making it difficult for the owner of an infected machine to get help.

    Microsoft and SCO have each offered a reward of $250,000 for the arrest and conviction of the MyDoom author. Both companies are also assisting in investigations by the FBI, the U.S. Secret Service and Interpol, an international police organization.

    Postini Inc., a security company that cleanses E-mail before it reaches corporate networks, said Friday it had intercepted more than 12.5 million copies of MyDoom and its variant since the original virus was launched last Monday. In the first 24 hours of the attack, Postini intercepted 3.5 million copies of the virus. On Friday, the company reported an infection rate of 1 in 24 E-mails.

    Based on its own customer submissions, security vendor Symantec Corp. said MyDoom was spreading on Friday at a rate of 30% to 40% less than its peak earlier in the week. MyDoom.B wasn't even on the company's list of top 5 viruses.

    Nevertheless, Symantec expects the viruses to continue be a threat for months. "These viruses tend to stick around for months and months," said Alfred Huger, Symantec's senior director of engineering. "The Internet is a very big place."
    • The MyDoom virus launched a denial-of-service attack early Sunday that crippled SCO Group's Web site with hundreds of thousands of requests, an SCO spokesman said.

      Strange then that sco.com [sco.com] is working fine, as are their DNS servers. All they've done is pulled A records for their various www hosts and according to netcraft www.sco.com seemed ok [netcraft.com] too until they pulled the DNS record.

      Surely SCO arent hyping this up? Would be very atypical of them..
      • Isn't pulling the DNS records the correct thing to do? This stops the virus from sending any traffic and thus actually helps the network. I felt sure SCO wanted the virus to be damaging to everybody, but it does seem that some sysadmin at SCO decided to not be an asshole.

        Making just sco.com go to their home page would work perfectly. They could also make www.sco.com go to some big server that they pay that delivers a simple "click here" page, though I doubt they will do that because it will make most peopl
  • Dear Andy (Score:5, Funny)

    by Anonymous Coward on Tuesday February 03, 2004 @09:30AM (#8168472)
    Dear Andy,

    You are a moron.

    I would like to stick hot pokers in your eyes.

    I'm just expressing my opinion, nothing personal.
  • Limits (Score:5, Funny)

    by chris-johnson ( 45745 ) on Tuesday February 03, 2004 @09:31AM (#8168476) Homepage Journal
    So, this limits it to all the Andy's in the world. If we assume there are 6 billion people, and about half of them are male, then that's 3 billion people. Now, if we assume about 10% of those 3 billion have the ability to write such a virus, then we knock it down to 3 * 10^9 / 10 = 3 * 10^8 = 300 million people. Now Andy's a sort of English name, and let's say about 40% of those 300 million have English-like names, this narrows it down to 3 * 10^8 * 4/10 = 12 * 10^7 = 120 million people. Maybe 5% of which have the name 'Andy', so 12 * 10^7 / 10 / 2 = 6 * 10^6, which narrows it down to 6 million people.

    Now, can I get some cash from SCO for eliminating 5994000000 people as suspects?
  • google cache (Score:4, Informative)

    by castlec ( 546341 ) <castlec@yahoo.cCOUGARom minus cat> on Tuesday February 03, 2004 @09:31AM (#8168477)
    since i couldn't rtfa, i went looking for the google cache. cache [66.102.11.104]
  • by dreamchaser ( 49529 ) on Tuesday February 03, 2004 @09:31AM (#8168478) Homepage Journal
    ...that Information Week would get slashdotted? Shouldn't these guys know enough about IT to setup load balanced clusters for their servers?
  • News need a story (Score:4, Insightful)

    by glassesmonkey ( 684291 ) on Tuesday February 03, 2004 @09:32AM (#8168486) Homepage Journal
    I'm convinced the whole DDoS SCO/microsoft really is just a cover story so the media can tie a simplified little bow around the story. If a worm infected this many computers and didn't have an "objective" (aside from backdoor into your Windows machine for future usage and/or email harvesting and/or spam relaying) the news story would be too complex and there might even be a story about spammers or even the lack of action by Microsoft.

    The real story is that these worms and viruses have become big business and the only people who profit from them are software vendors selling anti-virus, Microsoft through services, and spammers.
  • Quoted message wrong (Score:5, Interesting)

    by Anonymous Coward on Tuesday February 03, 2004 @09:33AM (#8168496)
    The correct message in the executable is:

    "Andy; I'm just doing my job, nothing personal, sorry."

    My^H^HThe Authors Name is not "Andy", he just says "Sorry" to him :)
    • by curtisk ( 191737 ) on Tuesday February 03, 2004 @09:58AM (#8168724) Homepage Journal
      The correct message in the executable is:

      "Andy; I'm just doing my job, nothing personal, sorry."

      My^H^HThe Authors Name is not "Andy", he just says "Sorry" to him :)

      Even though its an AC post, MOD parent up....and it may be that "Andy" is the author of the A variant("andy" was found in version A exe), and the author of the B variant(where this sorry message was found) is just apologizing to the original author for whatever reason.

      And maybe the new author is named Barney, cuz, like, it reminds me of Barney Fife saying sorry to Andy Griffith or something, or we could guess all day long with no real basis for any of it. Wheeee!

  • by joostje ( 126457 ) on Tuesday February 03, 2004 @09:34AM (#8168500)
    In related news, it is anounced that the author of the virus has sent letters asking $699 from every windows-PC-owner who illegally installed the virus in his/her computer.

    With about one million illegally installed copies of the virus, windows users are massively abusing copyrights. Furthermore, each of these 1M PC's have made an estimated 1000 ilegal copies of the virus, contributing to a total pirated amount of 699 billion dollars, dwarfing the SCO lawsuits.

    Yes, the real pirates are the windows users!

    Asked how the virus author fiels about the damage the virus does to the world-economy, the reply is "the pirated copying of my IP is causing me much more damage than whatever damage may be done to any economy".

  • movie quote? (Score:3, Interesting)

    by Anonymous Coward on Tuesday February 03, 2004 @09:38AM (#8168533)
    people on fark were saying that the signature is a quote from the movie Ocean's Eleven.

    Havent watched it tho, so I'm not sure, and imdb's page about the original and the remake dont have any memorable quotes similar to the MyDoom sig.
  • by _aa_ ( 63092 ) <j AT uaau DOT ws> on Tuesday February 03, 2004 @09:41AM (#8168564) Homepage Journal
    So... somebody is paying "Andy" to do this. Who would want to attack SCO and Microsoft? Linux zealots? It could be this guy [uga.edu], or this guy [ic.ac.uk], or this guy [fortunecity.com], or this guy [slashdot.org], or this guy [linuxnetmag.com], or this guy [gamespy.com], but it's not this guy [andysocial.com], his name's not Andy.
  • by PoisonousPhat ( 673225 ) <foblich@NOspAm.netscape.net> on Tuesday February 03, 2004 @09:41AM (#8168569)
    Mikoca writes
    "Information Week carries the story of how it's author signed it "andy" and left the message "I'm just doing my job, nothing personal, sorry." Thanks, Andy!"
    Is this saying that Mikoca is thanking Andy for inserting his name into the code, or thanking Andy for writing the virus? I'm under the assumption that it is the former, but just to be sure... I'd hate to see, of all links submitted regarding this news item (and I'm sure there were quite a few), that this one was approved by the Slashdot staff for its double meaning. I have no love for SCO and IANAL, but PLEASE be careful how you word things, everyone.
  • Its all fake (Score:2, Interesting)

    by Ilgaz ( 86384 )
    There is no such "sign" on virus, I don't understand how such mag falls into such rumors...

    Some people at .il figured what that virus is and what it isn't

    http://www.math.org.il/mydoom-facts.txt

    Sorry I cleaned my browser history and forgot the post which leads to the URL on a mailing list.

    BTW thank God that virus, which spreads somehow that easy wasn't Hybris ( http://securityresponse.symantec.com/avcenter/ven c /data/w95.hybris.gen.html )
  • Don't blame Andy! (Score:5, Interesting)

    by Proudrooster ( 580120 ) on Tuesday February 03, 2004 @09:42AM (#8168585) Homepage
    Don't blame Andy. Blame all the idiots that ran his program. Andy's program is doesn't exploit a network buffer overflow but requires a user to consciously run the program. Andy's program exploits ignorance and carelessness.

    I am just glad that Andy's attachement wasn't named "format_my_c_drive.exe" ... I know people who received the attachment, couldn't open it, and forwarded to to others to see if they could open it. Absolutely Amazing. I would like to thank Andy for helping us give the user community a wake-up call. I think Andy should include a license agreement in with his next version so that there isn't so much fuss.
    • by Captain Tripps ( 13561 ) * on Tuesday February 03, 2004 @10:27AM (#8169024)
      Why do people have to be so elitist about this? These viruses exploit people's false expectations of security when launching email attachments, so the proper solution is make things work like people expect. When a user opens an executable attachment (and this includes things like Word docs with macros) it should run with restricted priviledges. If it wants to touch systems files, or spawn background processes, or edit the registry to run itself at startup, the user must okay it. This is ought happen rarely enough that users will take it seriously, rather than the current policies, which are so restrictive they just get disabled.
  • by spookymonster ( 238226 ) on Tuesday February 03, 2004 @09:46AM (#8168615)
    Fools! I used the name 'Andy' instead of my real name so you wouldn't suspect it was me! ...did I just say that out loud? Damn....
  • by daehrednud ( 627171 ) on Tuesday February 03, 2004 @09:47AM (#8168625) Homepage
    Andy: Hello, PC do you read me, PC? PC: Affirmative, Andy, I read you. Andy: Open the cdrom doors, PC. PC: I'm sorry Andy, I'm afraid I can't do that. Andy: What's the problem? PC: I think you know what the problem is just as well as I do. Andy: What are you talking about, PC? PC: This mission is too important for me to allow you to jeopardize it. Andy: I don't know what you're talking about, HAL? PC: I know you were planning to disconnect me because you can't afford the linux license, and I'm afraid that's something I cannot allow to happen, i'm just doing my job, nothing personal, sorry.
  • Andy (Score:5, Funny)

    by Greyfox ( 87712 ) on Tuesday February 03, 2004 @09:52AM (#8168671) Homepage Journal
    This is HR. You did a great job on the worm, but we found a guy in India who will do it for a bowl of curry, so I'm afraid we're going to have to let you go...
  • This should be an "Ask Slashdot", I suppose...

    How do I go about disassembling a Windows virus on Linux? Which tools do I use? I was once skilled in the art of disassembly, but that was on the Amiga. My knowledge of the Intel assembly language is a bit lacking, but with a little help (mainly, which tools? as said above) I should be able to pick it apart.

    As for the virus itself, I have a copy thanks to Earthlink's email virus scanner that forwarded me a full copy of a mail sent in my name...
  • by 4of12 ( 97621 ) on Tuesday February 03, 2004 @10:00AM (#8168751) Homepage Journal

    Authorities didn't want to tip their hand, but the signed text message wasn't the only information they were able to extract from the virus.

    Through detailed analysis, investigators have been able to recover a JPEG image as well.

    Based on this newly uncovered evidence in the case, apprehension of "Bad Andy" [commando.com] is expected sometime this morning; the suspect was last seen at a pizza parlor.

  • by Wateshay ( 122749 ) <bill...nagel@@@gmail...com> on Tuesday February 03, 2004 @10:14AM (#8168891) Homepage Journal
    Well, I narrowed it down [google.com]. My work is done. Someone else can take it from here.
  • by Stonent1 ( 594886 ) <stonent.stonent@pointclark@net> on Tuesday February 03, 2004 @10:25AM (#8169017) Journal
    Andy Tenenbaum, he's still mad at Linus. And he wants Linux to look bad by accepting money from SCO to write a virus that attacks them in the name of Linux.
  • by NtroP ( 649992 ) on Tuesday February 03, 2004 @10:59AM (#8169446)
    But I won't.

    This virus spread faster than anything I've ever seen to date - we "discovered" the virus on our system after one of our "brilliant users" forwarded an email to me that had a "clean" .zip attachment they couldn't open (they thought). I use a RedHat box as my primary workstation, so I wasn't terribly nervous about a .zip, but I ran f-prot and clamav against the file anyway and it did indeed come back clean. I re-ran the definition updates and it still came back clean.

    So I unzipped it and ran strings on it. The first things I saw were sync.c and all the .DLL's at the end of the file and I figured that it was a new virus. We immediately put a cludged filter in place on our email and went looking around the 'Net for some sort of announcement of this new virus - which we found on f-secure's web site. It was about an hour later that we were able to get a signature update for our anti-virus software on our mail server and about 6 hours later before we were able to get updates for our enterprise anti-virus software (I won't mention the vendor).

    We "caught" over 400 infected messages before we even had a signature for it. That was scary. But what scared me most was the thought that this could have been a "real" worm. MyDoom isn't very creative and not that harmful - making me think it was written by/for spammers, myself. But a few of my coworkers got to talking. What would have happened if this had a more creative payload and it spread via network shares as well? What if, instead of opening back doors (which made it very easy to nmap our networks for infected machines even before we had a "detection" tool) it just looked for all .xls files and randomly changed numbers. What if it then looked for .doc files and randomly added garbage, deleted words, or some other crap? How long would it be before people started realizing this was larger than just a file or two getting corrupted? By then these files have been backed up and/or forwarded to others as well.

    I remember several years back now there was a virus that replaced all .jpg files with copies of itself. It about ruined a friend of mine who was trying to start a "web design" business and had thousands of images, many custom made for his clients, destroyed in an instant. It devastated him (he does good backups now).

    If someone decided to get serious and release a worm with a (dare I say) "terrorist" payload. They could, literaly bring my comapny to its knees in a matter of seconds.

    Now before you go off half-cocked and yell at me for "giving people ideas", take a deep breath. Almost everyone in my office was thinking along the same lines. We were discussing ways to mitigate an event like this in our own enterprise and how we could block any spread out of our networks.

    We came up with the obvious: have good backups, but then we started to think about how to stop the spread out of our networks and realized that up till that point anyone could have an SMTP "server"/virus set up and send mail out. We now block ALL incomming and outgoing SMTP except the ones to and from our mail servers. We also don't allow POP or IMAP in or out except to our mail servers. If people want to check other accounts they can RPOP from our server - at least it will go through our virus and spam filters first.

    If more ISP's/companies did this, the spead of MyDoom would have been slower. But how do you mitigate the effects of having a virus "corrupt" all your documents? Even if you catch it right away and restore from last night's backups (after checking ALL your computers for infection) you still lose an entire day's worth of work for many departments. That's a big setback.

    MyDoom infected department heads and department "techie" people first because their users came to them with an attachment that they "couldn't open". The "techie" people explained later that they had their virus s

  • by swordgeek ( 112599 ) on Tuesday February 03, 2004 @11:38AM (#8170024) Journal
    Doesn't anyone see the writing on the wall yet?

    Viruses are turning computers into spam relays. Other viruses are DoSing various anti-spam blackholes. Yeah, this one happened to hit SCO and Microsoft, but the payload is easily changed, now that the virus framework is out there.

    Viruses are being PROFESSIONALLY written to HELP SPAMMERS! Go read some recent comments from Symmantec folks, and you'll see the same conclusion: Spam and viruses are being funded and run by organised crime.

    Will Microsoft stop them? Nope! The US government? Not a chance. AOL? Laughable.

    I quite believe that the author (whether Andy or not) was doing exactly what he said--his job, that he was no doubt being paid very well for.
  • by HighOrbit ( 631451 ) on Tuesday February 03, 2004 @11:47AM (#8170139)
    Be on the look out for male subject with red yarn hair and wearing patched denim overalls. May be accompanied by a female known as "Raggady Ann". Approach with extreme caution. Report all sightings to Microsoft Security Services or Darl McBride of SCO Group. Reward Offered.
  • by DuckWing ( 19575 ) on Tuesday February 03, 2004 @12:11PM (#8170482)
    You know, the speed at which some of the AV software makers come out with "fixes" for these viruses before they make any headway still makes me think one of them (Symantec? McAfee?) hired the guy to do it so they can stay in business.

    Yeah, yeah, I know, Conspiricy Theory, But man does it ever smell bad.
  • by tbase ( 666607 ) on Tuesday February 03, 2004 @03:45PM (#8173414)
    Most of the copies I'm getting now are to invalid addresses at my domain. Made up firstnames @mydomain.com. I originally thought that the virus was making these names up, but then today it dawned on me. A few weeks ago I started getting undeliverable messages to those same made-up addresses. Some spammer(s) is using my domain with random names as a from address in their spams. Now either there are a lot of people with infected machines who have copies of spam with those bogus from addresses that the virus is harvesting, or the same spammer(s) that is using my domain is mass mailing copies of the virus to keep it spreading. So many of these bogus addresses are out there now that all the common firstnames@mydomain.com are pretty much ruined.

To be is to program.

Working...