NYCPHP Meetup

NYPHP.org

[nycphp-talk] OT:Virus Alert: MyDoom

jessica kelly jkelly at sussex.edu
Tue Jan 27 11:53:32 EST 2004 

McAfee has released a DAT for it for those of us using windows & McAfee. 

I'm getting lots at the College I work at.

Jessica

>>> mjdewitt at alexcommgrp.com 1/27/04 11:49:45 AM >>>
This one seems to be really catching on.  We are getting a ton of these
emails this morning. We allow ZIP files through and have to, so we have some
exposure with this virus.  People here are aware of this issue, but you
never know if everyone will think "virus" when that juicy ZIP file is
staring them in the face from their inbox. 

Here is something Watchguard sent me on this virus.	

Mike

> -----Original Message-----
> From:	WatchGuard LiveSecurity
> [SMTP:WatchGuard_LiveSecurity at tailorednews.com] 
> Sent:	Monday, January 26, 2004 9:45 PM
> To:	DeWitt, Michael
> Subject:	LiveSecurity | Urgent: Virus Alert: MyDoom
> 
>  
> <http://tailorednews.com/WatchGuard/LiveSecurity/Images/LSSbcastHeadurgent 
> .gif>	
>   <http://tailorednews.com/watchguard/renewal/images/sysadmin.gif>
> 
>   <http://tailoredmail.com/images/space.gif>
> <http://tailoredmail.com/images/space.gif>
> <http://tailoredmail.com/images/space.gif>	
>   <http://tailoredmail.com/images/space.gif>	WatchGuard Hardware Warranty
> Extension 	  <http://tailoredmail.com/images/space.gif>	
>   <http://tailoredmail.com/images/space.gif>	Safeguard your security
> solution investment.
> Learn more <http://www.watchguard.com/products/warranty.asp>
> <http://tailoredmail.com/images/space.gif>	
>   <http://tailoredmail.com/images/space.gif>
> <http://tailoredmail.com/images/space.gif>
> <http://tailoredmail.com/images/space.gif>	
> 
> MyDoom
> 
> 
> MyDoom Demonstrates 
> a True Viral Outbreak
> 
> 
> 26 January 2004
> 
> 
> About the Virus
> 
> 
> A new virus, MyDoom (also called Novarg by some vendors, Mimail.R by
> others), is erupting on the Internet right now. Network Associates
> received 19,500 copies of the virus from over 3,400 email addresses in a
> single hour Monday afternoon, an extremely high rate. MyDoom seems to have
> been launched today, around 1:00 PM Pacific Standard Time. The virus
> presents a well-worded message advising that its attachment was necessary
> because a technical error prevented normal email transmission, a more
> clever social-engineering ploy than the garden variety "Here, open this."
> Since this new virus carries a trojan, MyDoom might feel appropriately
> named to its victims.
> 
> 
> Distinguishing Characteristics
> 
> 
> A MyDoom e-mail spoofs its sender so that it appears to come from one of
> your friends, contacts, or a credible institutions such as a bank or phone
> company. The Subject is randomized. So far we've seen the variations
> below:
> 
> *	hi
> *	hello
> *	HELLO
> *	error
> *	Mail Delivery System
> *	Mail Transaction Failed
> *	Server Report
> *	status
> *	test
> *	Test
> *	Server Request
> 
> MyDoom is so new that the anti-virus vendors have not compiled their list
> of variations at the time of this writing. There may be other Subjects we
> haven't listed. MyDoom's body is also random. So far we know of these
> three variations:
> 
> *	The message cannot be represented in 7-bit ASCII encoding and has
> been sent as a binary attachment.
> *	The message contains Unicode characters and has been sent as a
> binary attachment.
> *	Mail transaction failed. Partial message is available.
> 
> We believe those credible bodies partly contribute to MyDoom's suceess.
> They certainly sound like legitimate errors and lead one to believe that
> the attached file could be the message that your e-mail client can't
> display. Don't fall for it!
> 
> MyDoom uses random attachments that try to look like documents. It uses
> the following extensions:
> 
> *	.exe
> *	.scr
> *	.pif
> *	.cmd
> *	.bat
> *	.zip <-- (The zip file contains an executable that looks like a
> document; e.g., doc.txt [lots of spaces] .exe)
> 
> Although details are still developing, MyDoom starts like most viruses. If
> one of your users runs the virus' attachment, it starts by copying itself
> to his computer and adding registry entries to ensure that it can restart
> if your user reboots. It also harvests e-mail addresses from a number of
> different file types and sends itself to others.
> 
> According to the latest breaking news, MyDoom also seems to spread through
> the popular Kazaa P2P, file-sharing application. Other reports indicate
> MyDoom is engineered to target SCO for a Denial of Service attack. 
> 
> Finally, MyDoom installs a backdoor by opening a connection on TCP port
> 3127. This could allow the virus author access to control an infected
> machine.
> 
> This virus has spread so fast that the anti-virus vendors are still
> researching it. MyDoom's code is encrypted so it may take awhile for the
> vendors to assess its true scope. We recommend you intermitently check
> McAfee's alert
> <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983>
> for the latest developments.
> 
> 
> What you can do
> 
> 
> *	As always, remind your users never to open unexpected attachments
> from any source.
> 
> *	Most major anti-virus vendors already have signatures that detect
> MyDoom. Check with your vendor for the latest update. If there is no
> MyDoom update, search on variant names Novarg, Shimg, or Mimail.R, which
> are terms for the same virus. 
> 
> *	Firebox II / III and Vclass owners should follow the steps below.
> The SMTP proxy can help. 
> 
> 
> Suggestions for SOHO owners
> 
> 
> If you have a SOHO, your best bet to stop this worm is to get new virus
> definitions from your vendor. Don't open e-mail attachments unless they
> contain material you requested or expect. Scan e-mail attachments with
> your anti-virus software, and open them only if they are proven clean. 
> 
> When it successfully infects a machine, MyDoom seems to open a connection
> using TCP port 3127 in an attempt to allow the virus author access to your
> machine. We recommend blocking this port, both Incoming and Outgoing. To
> do this, connect to your SOHO and click "Custom Service" on the left side
> of the screen. Name the service whatever you want (for example,
> Block_MyDoom_Trojan) and add TCP port 3127 to the "Protocol Settings."
> Change both Incoming and Outgoing Filter to "Deny." and Submit your
> changes. This will not prevent the worm from infecting you, but it should
> prevent the virus' backdoor from reaching the author.
> 
> 
> Suggestions for Firebox II / III owners
> 
> 
> MyDoom uses many attachment types. The Firebox II and III's SMTP Proxy
> blocks most of MyDoom's attachments by default. However, it doesn't block
> ZIP files by default. You can follow the steps below to block ZIP files
> either temporarily or permanantly. Since MyDoom uses different file names,
> blocking it requires you to block all ZIP files. Note that this procedure
> stops your users from receiving any ZIP file, whether malicious or not. 
> 
> *	If you have an SMTP Proxy icon in the WatchGuard Policy Manager,
> double-click the icon, then go to Properties tab => Incoming => Content
> Types tab => check for "*.zip" in the box labeled "Deny attachments based
> on these file name patterns." If you see *.zip in the list, your Firebox
> is configured to block this virus. If you don't see .zip in the list,
> click the Add button and type *.zip.
>   
> *	If you don't have an SMTP Proxy icon in the WatchGuard Policy
> Manager, go to: Edit => Add Service => Proxies => SMTP => Add => OK. The
> newly enabled service blocks the worm by default. 
> 
> When it successfully infects a machine, MyDoom seems to open a connection
> using TCP port 3127 in an attempt to allow the virus author access to your
> machine. We recommend blocking this port, both Incoming and Outgoing. To
> do this, click "Edit => Add Service => New." Name the service whatever you
> want (e.g., Block_MyDoom_Trojan) and click "Add." Choose TCP port 3127,
> and for "Client Port," choose Ignore from the drop-down menu, and click
> "OK" twice to add the service to the list of services. Now, double-click
> the new service to add it to your configuration. Change both Incoming and
> Outgoing to "Enabled and Denied" and press "OK." Make sure to save this
> change to your Firebox This change will not prevent the worm from
> infecting you, but it should prevent the virus' backdoor from reaching the
> author.
> 
> 
> Suggestions for Vclass owners
> 
> 
> Your Vclass does not block .zip files by default. You'll have to create or
> adjust a custom proxy action based on SMTP-Incoming in order to strip .zip
> attachments. Keep in mind, this does prevent your users from receiving any
> ZIP file whether malicious or not.
> 
> If you have created your own Proxy Action based on SMTP-Incoming, you can
> edit it so that it blocks all .zip files. In the Vcontroller software,
> click the Proxies button and double-click your custom proxy action. Under
> the Content Checking tab, change "Category" to Attachment Filename and
> click either the Add to Top or Insert After button (only one or the other
> will display). Next, type ZIP files as the new rule's name, and choose
> "Pattern Match." Next to Pattern Match, type *.zip and select Strip as the
> Action. Now you can apply this new Proxy Action to your SMTP rule to
> ensure zip files are blocked.
> 
> When it successfully infects a machine, MyDoom seems to open a connection
> using TCP port 3127 in an attempt to allow the virus author access to your
> machine. We recommend blocking this port, both Incoming and Outgoing. To
> do this, click on "Security Policy" in the Vcontroller software. Highlight
> one of your services and press, "Insert." Name the service anything you
> like (e. g., block.MyDoom.trojan).  Choose "Any" for Source and
> destination. Next to "Service" click the "New" button. Name the new port
> "MyDoom.Trojan" and press "New." For Protocol, choose TCP, and enter
> Server Port 3127.  Press "Done" twice to get back to the "Insert Security
> Policy" window. Next to Firewall, choose "Block" and press "Done" to add
> the service. Finally, press "Apply" to add the service to your Vclass
> Firebox. This change will not prevent the worm from infecting you, but it
> should prevent the virus' backdoor from reaching the author. 
> 
> 
> References:
> 
> 
> McAfee description of MyDoom
> <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983>
> 
> Symantec description of Novarg
> <http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.h 
> tml>
> 
> ComputerWorld write-up
> <http://www.computerworld.com/securitytopics/security/virus/story/0,10801,
> 89449,00.html> 
> 
> Credits: Researched by Corey Nachreiner.
> 
> Written by Corey Nachreiner and Scott Pinzon. 
> 
>   _____  
> 
> Was this alert clear and helpful to you? Have any suggestions on how we
> could improve it? Let us know at lsseditor at watchguard.com 
> <mailto:lsseditor at watchguard.com?subject=MyDoom%20alert>.
> 
> For past alerts, log into the LiveSecurity Archive
> <https://www3.watchguard.com/archive/broadcasts.asp>.
> 
> Stumped by jargon? Try the LiveSecurity Online Glossary
> <http://www.watchguard.com/glossary/>.
> 
> Copyright 2004, WatchGuard Technologies, Inc. All rights reserved.
> WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or
> registered trademarks of WatchGuard Technologies, Inc. in the United
> States and other countries.
> 
>  	
>  
> 
>   _____  
> 
>    How would you rate this LiveSecurity Update? 
>  Very helpful
>  Helpful
>  Somewhat Helpful
>  Not Helpful
> 
> Will you tell us why you feel that way?
>  
> 
>   _____  
> 
> NOTE:
> This e-mail was sent from an unattended mailbox. Please do not reply.
> ABOUT Questiva/TailoredMail:
> WatchGuard has contracted with Questiva/TailoredMail, an industry leading
> vendor of trusted email services, to send these emails and maintain a
> record of your preferences confidentially. Personal information about you
> is not sold or rented to Questiva/TailoredMail or to other companies. Both
> WatchGuard and Questiva/TailoredMail are fully committed to your privacy,
> as detailed in WatchGuard's privacy policy
> <http://www.watchguard.com/about/privacy.asp>.	
> TO UNSUBSCRIBE:
> You received this e-mail because you subscribed to the WatchGuard
> LiveSecurity Service, which advises about virus alerts, security best
> practices, new hacking exploits, and more. If you no longer wish to be
> advised of these things, please let us know: Unsubscribe
> <https://www.watchguard.com/archive/preferences.asp>.	
> Copyright 2004 WatchGuard Technologies, Incorporated. All Rights Reserved.
> WatchGuard, LiveSecurity and Firebox, and any other word listed as a
> trademark in the "Terms of Use" portion of the WatchGuard Web site that is
> used herein, are registered trademarks or trademarks of WatchGuard
> Technologies, Inc. in the United States and/or other countries. All other
> trademarks are the property of their respective owners. You may not
> modify, reproduce, republish, post, transmit, or distribute this content
> except as expressly permitted in writing by WatchGuard Technologies, Inc.
> 
>   <http://tailoredmail.com/images/space.gif>
> <http://tailoredmail.com/images/space.gif>	
>   <http://tailoredmail.com/images/space.gif>
> <http://tailoredmail.com/images/space.gif>	Copyright © 1996 - 2004
> WatchGuard Technologies, Inc. 
> All rights reserved.    |     Terms of Use
> <http://www.watchguard.com/legal.asp>	
>   <http://tailoredmail.com/images/space.gif>
> <http://tailoredmail.com/images/space.gif>	
> 
_______________________________________________
talk mailing list
talk at lists.nyphp.org 
http://lists.nyphp.org/mailman/listinfo/talk

More information about the talk mailing list