Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Doubleclick DDoS'd, W32.Zindos.A Microsoft DoS, FXMYDOOM Feedback - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Doubleclick DDoS'd, W32.Zindos.A Microsoft DoS, FXMYDOOM Feedback
Doubleclick DDoS'd

Around 10:30 EDT Doubleclick, a provider of web advertisements, started experiencing a massive denial-of-service attack on their DNS servers. This has caused a peripheral slowdown of other sites that use the Doubleclick service to serve ads on their webpages. Read more at:

http://www.washingtonpost.com/wp-dyn/articles/A18735-2004Jul27.html
W32.Zindos.A Microsoft DoS

The W32.Zindos.A worm which infects machines via the backdoor that Backdoor.Zincite.A opens (which is delivered by MyDoom.M) performs a DoS against the microsoft.com domain. Due to the buggy code, this will cause a machine to become slow and unresponsive due to repetitive infections of Zindos. For more information go to: http://securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html
FXMYDOOM Feedback

A user wrote in stating that the FXMYDOOM program would not completely clean up a system from all the processes. He gave the following steps to ensure a clean system.

1. Reboot into safe mode with networking support and sign in.

2. Run FXMYDOOM, downloadable from Symantec. Go onto step 3 while step 2 runs.

3. Visit the ?Run? sections of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER (full example path above) and delete any calls to:
<Br>
a. Javavm

b. Services

c. Tray (which will have a path to ********.exe listed in the data field)
Norton?s tool usually didn?t catch the ?javavm? or ?tray? entries on PC?s I worked on, so be on the lookout for them.


4. Once step 2 has completed, manually verify javavm.exe and services.exe are no longer in %windir%

5. Reboot into normal mode, ideally, user should sign-in. In absence of user, sign in yourself.

6. Once boot completes and taskbar fully loads check ?processes? tab to make sure there aren?t any extra ?services?, ?javavm?, or ?********.exe? files running. Note it is normal to have one copy of ?services? running on a PC. One copy, good. Two copies, bad.

7. Re-run step 2. Have user contact you if it finds any instance of mydoom on the PC.


---

John Bambenek, jbamb -at- pentex-net.com
John

248 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!