MyDoom variant dropping Trojan used for US and S.Korean targetted DDoS

TrendMicro and others have release some details on what malware is being used for the recent DDoS attacks on South Korean and US targets in the past week. The MyDoom variant itself isn't very interesting, and propagates through email.

The Trojan that it dropped, and the malware used in the DDoS attacks, is much more interesting to me. Symantec calls it Trojan.Dozer, while several other AV companies seem to be leaning towards naming it as a variant of the Trojan.Agent family. Symantec's write-up provides some very useful details on traffic patterns the Trojan exhibits, allowing good ol' network security monitoring to be used in tracking down infected hosts.

Trend's blog post on this provides some useful details on the MyDoom variant itself, and provides links to more information including some technical details on MyDoom.EA without touching on the related Trojan malware being dropped by it.

MYDOOM Code Re-Used in DDoS on U.S. and South Korean Sites -

A worm designed to propagate through email is the main proponent used in the DDoS attacks against high-profile websites in the United States and South Korea.

Detected as WORM_MYDOOM.EA by Trend Micro, it is suspected to have arrived in victims’ inboxes as an attachment to email messages. Upon execution, it registers itself as a system service (like as WMI Performance Configuration or WmiConfig) to ensure execution upon startup. It then drops component files distributed on several infected machines with lists of targets for DDoS.

Post from: TrendLabs | Malware Blog - by Trend Micro

MYDOOM Code Re-Used in DDoS on U.S. and South Korean Sites

[TrendLabs | Malware Blog]