Well, somebody suggested earlier in this newsgroup that someone ought to
create a worm that would uninstall mydoom. Well, it's happenning.
First, there was doomjuice. Now I'm reading on Symantec's website about
Doomhunter and w32.hllw.deadhat.b, both of which will install themselves
to an infected computer, then disinfect the MyDoom virus. WTF. Can't
the VX-ers come up with something a little more originial then this.

--
William

If it don't work, hit it.
If it still doesn't work, kick it.
If it works after hitting it and kicking it, then it doesn't matter if
hitting it or kicking it helped, what's important is it worked.

On Fri, 13 Feb 2004 01:32:06 -0800, Big Will
<spamWspamispamlspamlspamBspam4spamespamvspaaaamme spammityrspam@nidontlikespametzero.net>
wrote:

it surely isnt VX-ers behind these "White Worms" now is it ?

sam1967@hetnet.nl wrote:

sure it is... who did you think was behind it?

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"

Was probably me "earlier in this newsgroup", but the idea is not so
new really.

Honestly, as long as those specific worms don't spread by e-mail I
care not too much. Of course provided this does not lead to attacking
machines which are not already infected! And, provided one is lucky
enough to be catched by a "white" worm, would that not still be better
than if those machines get to know Doomjuce?

I fully agree though that people should run AV software on their
machines and otherwise take care not to get caught by malware. Still,
there is the fact that there are thousand over thousands machines out
there now with an open backdor - thanks to MyDoom.A.

It's obvious that many poeple will try to abuse all those machines.
Not really too surprizing - wether we like it or not.

Markus

On Fri, 13 Feb 2004 10:42:17 -0500, kurt wismer <kurtw@sympatico.ca>
wrote:

it makes no logical sense for them to download m$ patches to the
infected machines and remove all traces of MyDoom does it ?
who is behind it ? god knows ?

sam1967@hetnet.nl wrote:
patches? what patches? mydoom doesn't use any bugs in windows, there
are no patches...

does it make sense for the vx to make a worm or virus that disinfects
mydoom? sure it does... some vx'ers compete with each other, some have
rivalries, and some think they can make 'good' viruses and/or worms...
it's happened in the past, it will most likely happen again in the
future...

also, don't assume people (vx'ers included) always behave in a
'logical' manner...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"

On Fri, 13 Feb 2004 12:21:27 -0500, kurt wismer <kurtw@sympatico.ca>
wrote:

i was referring to Nachia-B (Welchia-B) which makes use of the various
RPC bugs to propagate and once propagated downloads patches to the
computer (only English, Korean and Chinese - not Japanese) and applies
them.

http://securityresponse.symantec.com...ia.b.worm.html

Downloads one of the following patches from Microsoft's Windows Update
Web site, if the version of the operating system of the infected
machine is Chinese, Korean, or English:

download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5ef1e9a
/WindowsXP-KB828035-x86-CHS.exe
download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4d7e59
/WindowsXP-KB828035-x86-KOR.exe
download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035dc181a
/WindowsXP-KB828035-x86-ENU.exe
download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087ccad56c
/Windows2000-KB828749-x86-CHS.exe
download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de0929513
/Windows2000-KB828749-x86-KOR.exe
download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9
/Windows2000-KB828749-x86-ENU.exe

Installs the patch, and then restarts the computer.

sam1967@hetnet.nl wrote:
ok, but those patches have nothing to do with mydoom (the only thing
mydoom exploits is user gullibility and there's no patch for that)...
nor do they have anything to do with the security holes that welchia.b
itself exploits... i have no idea why the worm applies the patches it
does, but i see no reason to believe that it was the work of anyone
outside of the vx...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"

On Fri, 13 Feb 2004 14:30:47 -0500, kurt wismer <kurtw@sympatico.ca>
wrote:

true . but welchia-b (nachia-b) cleans up mydoom from infected
computers and applies the microsoft patches listed above.
that is pretty strange behaviour for vx-ers. no ?


lol.

sam1967@hetnet.nl wrote:
[snip]
no... like i said, it's been done before and it will probably be done
again... anti-virus viruses have been around for more than 10 years...
its not new or strange, it's just infrequent...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"

Big Will wrote:
Well, let's see, who would benefit from the mydoom worms being knocked
out so that they can no longer bombard SCO and Microsoft web sites?

Beats me.

--
Adrian S

"I am not a number, I am a free man!"
"You are 127.0.0.1"