The Mydoom or SCO.A worm is leading to some new issues. The worm installs a backdoor that allows remote users access to the infected system, and logs keystrokes and sends off certain passwords.
This has lead to some pretty widespread hacking activity, unrelated attackers using infected systems to gain further access and harvest passwords.
The gist here is, if you have an infected system you should consider that a complete compromise. Execute your incident response plans. In addition, you should:
- 1: Change all passwords used on or near that machine
2: Force all user passwords in your domain to expire and be changed (they could have been harvested)
3: Change all administrative passwords
4: Remove the infected system from the network, even if cleaned by antivirus. It should be rebuilt, but at least be completely inspected by a security professional before being returned to service.
An infection by this worm is not just your regular infection. It’s a complete compromise that may have had the attention of a live human being attacker after the infection.