Doombot Worm Spreads via Phishing Model Attack
16 June 2006. Security experts at MicroWorld Technologies inform that a Backdoor Worm named Doombot.k, is spreading fast via abuse warning emails, spoofing domain names of security software companies and leading business houses. The modus operandi of proliferation is strikingly similar to many phishing attacks in recent times.
Doombot.k comes with IRC bot capabilities and spreads via mass mailing. Once inside the computer, the worm runs in the background, acting as a Backdoor Server that provides access to the victims PC via IRC channels, for the remote attacker. The smart worm also lowers the security level of the computer, and changes entries in the Windows HOSTS files in order to block websites of AntiVirus companies.
For its spreading routine, the worm steals email IDs from the victims address book and starts sending itself as .pif, .scr, .exe, .cmd and bat attachments. The most interesting aspect noted here is that it spoofs the domain name of the sender to the same domain of the harvested email address. For example, if the worm steals an email address john@xyz.com, it will fake the senders id as abuse@xyz.com, or security@xyz.com and will send it to Johns mail address. In the internal email system of enterprises, this can wreck havoc by spreading fast to infect the entire network.
The subject line of the email is picked from a list that includes various titles like-Account Alert, Important Notification, Members Support, Notice of account limitation, and Security measures.
For more see related link.
SocialVibe