Tag Archives: Morris worm

MyDoom Anniversary: Another Big Attack In The Offing?

Today’s the first anniversary of the MyDoom.A worm. According to an email I received earlier today from MessageLabs, ‘the world’s leading provider of email security services to business’, it was a day that “changed the virus landscape forever”:

27 January 2005 – At 13.26pm on 26 January 2004, MessageLabs,  intercepted its first copy of W32/MyDoom.A. Within the first twenty-four hours, the company had stopped over 1.2 million copies. MyDoom.A, which achieved a peak infection rate of 1 in 12 emails, has proved to represent a landmark in the history of computer viruses, and the legacy lives on..

I’m not sure whether this is just a coincidence, but I’m told by folks at Network Box of a fresh attack by Bagle: “Depending on the next few hours, this could be a large attack,” says Network Box’s Quentin Heron:

Network Box Security Response is tracking several new variants of the Bagle Internet worm… We are seeing thousands of blocks on these variants, from dozens of sites in Hong Kong. We are checking worldwide infection rates at the moment, but this looks extensive.

For those of you who follow these things, the worm matches signatures from Kaspersky Labs of Email-Worm.Win32.Bagle.ax and Email-Worm.Win32.Bagle.ay.

I’ll keep you posted.

Korgo Clarified

More on Korgo; I wish I could say it was the last. But the good news is that it does not seem to be the all-in-one ‘phishing worm’ F-Secure said it was.

F-Secure has clarified the situation over the Internet worm Korgo, which seems to answer some of the questions in my earlier posting. Korgo does not include a keylogger, nor any code to steal banking info. But, F-Secure says, “it seems that the Hangup Team (virus group behind the worm) is actively installing a keylogging trojan known as Padodor to the infected computers.” This is done via a backdoor left by Korgo.

Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks. Padodor is not the same as Padobot, which is one of the aliases of Korgo. Bottom line, according to F-Secure: “Not all machines infected by Korgo have Padobot, and Padobot can be found on machines which are not infected by Korgo.” (In fact, I may be wrong but I think F-Secure mean Padodor here: “Not all machines infected by Korgo have Padodor, and Padodor can be found on machines which are not infected by Korgo.” No?

The thing here is that a worm does the distribution work, infecting computers. Then there’s the bot, or trojan, that is the payload. This is the bit that does the money-generating work. That can either be loaded onto computers as part of the original worm, or else it can be loaded later via the backdoor left by the original worm. So here F-Secure has mistakenly assumed the keylogging bit was part of Korgo, which it wasn’t.