DDOS Madness Continued...
Contents
The DDOS attacks which started around July 4th 2009 and paralyzed some important US and South Korean web sites have come to an end, but the madness behind these attacks is not quite finished yet.
The MYDOOM variant (msiexec1.exe: 0f394734c65d44915060b36a0b1a972d) which initially downloaded a DDOS component has recently been seen to download another component (wversion.exe: f5c6b935e47b6a8da4c5337f8dc84f76) whose sole purpose is to permanently damage the infected systems hard drives. This hard drive killer component acts like a time bomb which will start triggering from July 10th onwards. Sadly it means that today, on July 11th, all those infected pcs which were up and running yesterday are already damaged.
How does this damage occur? The time based execution of wversion.exe is controlled by another component (mstimer.dll: 93322e3614babd2f36131d604fb42905). mstimer.dll gets installed on the victim PC as an NT service with the name 'MS Timer Service". This service keeps checking the current system date, and once …
The MYDOOM variant (msiexec1.exe: 0f394734c65d44915060b36a0b1a972d) which initially downloaded a DDOS component has recently been seen to download another component (wversion.exe: f5c6b935e47b6a8da4c5337f8dc84f76) whose sole purpose is to permanently damage the infected systems hard drives. This hard drive killer component acts like a time bomb which will start triggering from July 10th onwards. Sadly it means that today, on July 11th, all those infected pcs which were up and running yesterday are already damaged.
How does this damage occur? The time based execution of wversion.exe is controlled by another component (mstimer.dll: 93322e3614babd2f36131d604fb42905). mstimer.dll gets installed on the victim PC as an NT service with the name 'MS Timer Service". This service keeps checking the current system date, and once …
IoC
0f394734c65d44915060b36a0b1a972d
f5c6b935e47b6a8da4c5337f8dc84f76
93322e3614babd2f36131d604fb42905
75.151.32.182
f5c6b935e47b6a8da4c5337f8dc84f76
93322e3614babd2f36131d604fb42905
75.151.32.182