Author Topic: DDOS Madness Continued...  (Read 1909 times)

0 Members and 1 Guest are viewing this topic.

July 11, 2009, 11:28:27 pm
Read 1909 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Quote
The DDOS attacks which started around July 4th 2009 and paralyzed some important US and South Korean web sites have come to an end, but the madness behind these attacks is not quite finished yet.

The MYDOOM variant (msiexec1.exe: 0f394734c65d44915060b36a0b1a972d) which initially downloaded a DDOS component has recently been seen to download another component (wversion.exe: f5c6b935e47b6a8da4c5337f8dc84f76) whose sole purpose is to permanently damage the infected systems hard drives. This hard drive killer component acts like a time bomb which will start triggering from July 10th onwards. Sadly it means that today, on July 11th, all those infected pcs which were up and running yesterday are already damaged.

How does this damage occur? The time based execution of wversion.exe is controlled by another component (mstimer.dll: 93322e3614babd2f36131d604fb42905). mstimer.dll gets installed on the victim PC as an NT service with the name 'MS Timer Service".  This service keeps checking the current system date, and once the current date becomes the 10th of July or higher, it executes 'wvesion.exe'.  This killer component tries to overwrite the starting sectors of each physical drive with junk bytes. This also erases the MBR (Master Boot Record) making hard disk useless for further use. These junk bytes are not completely junk but also contain a small message for the American people. It starts with a string "Memory of the Independence Day" followed by the junk character 'U'. This is how a physical drive looks like afterward:

http://blog.fireeye.com/research/2009/07/ddos-madness-climax.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 10:04:09 am
Reply #1

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment