Born on the 4th of July
Contents
Fireworks weren't the only thing going off on the 4th of July. Several U.S. and South Korean government, financial, and media websites were attacked and at different times, were offline. There's been a lot of speculation about the source of the attacks, but here is what we know so far.
We've observed a number of malware components that are responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen work in tandem to both spread and attack. W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses it gathers from the compromised computer. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the compromised computer. W32.Mydoom.A@mm in turn drops W32.Mytob!gen and a removal tool built by the threat authors, allowing them to uninstall W32.Mytob!gen if they so prefer. W32.Mytob!gen gathers email addresses, sends the W32.Dozer dropper to them, and the cycle …
We've observed a number of malware components that are responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen work in tandem to both spread and attack. W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses it gathers from the compromised computer. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the compromised computer. W32.Mydoom.A@mm in turn drops W32.Mytob!gen and a removal tool built by the threat authors, allowing them to uninstall W32.Mytob!gen if they so prefer. W32.Mytob!gen gathers email addresses, sends the W32.Dozer dropper to them, and the cycle …
IoC
213.23.243.210
213.33.116.41
216.199.83.203
213.33.116.41
216.199.83.203