January 27, 2004

How To Protect Yourself Against Mydoom


By Gregg Keizer        Courtesy of TechWeb News

As the Mydoom worm blasts through the Internet, enterprises and individuals
can take steps to protect against its infection, according to a security
expert from Symantec's security response team.

Alfred Huger, the senior director of engineering with Symantec's virus
watch group, suggested that organizations filter at the gateway for
Mydoom's various subject headings. They include: test, hi, hello, Mail
Delivery System, Mail Transaction Failed, Server Report, Status, and Error.

"Start dropping mail with those subject lines immediately,"
recommended Huger. But because filtering for those generic subject headings
may also drop some valid messages, organizations should be prepared to cull
the deferred messages before deletion, he said.

Other tactics users and companies can take include the typical -- update
virus definitions at both the gateway and on desktops -- and the unusual.
"Make sure that no one in the enterprise is using Kazaa," he
said, noting that Mydoom can spread through that peer-to-peer software as
well as via e-mail.

Like other recent worms, Mydoom can disguise its payload as any number of
file types. But while most are automatically blocked by newer versions of
e-mail clients, such as the popular Microsoft Outlook, some are not, most
notably the .zip extension.

"Enterprises should block .zip attachments at the gateway," said
Huger,"unless these types of files have a legitimate business
purpose."

Additionally, Mydoom contains a backdoor that listens to commands on a
series of TCP ports, said Huger. One function of this backdoor is an entry
by hackers into infected systems -- attackers can use it to send and run
other malicious code on the compromised machine -- but another purpose is
to relay network connections, in effect adding the system to a collection
of proxies for later spam and/or worm transmission.

To slam shut this backdoor, Huger advised organizations and users to block
inbound TCP traffic on ports 3127 through 4000.

While many anti-virus firms have updated their software to account for
Mydoom -- including Huger's Symantec -- so that the worm is automatically
detected and destroyed, there are some tools available on the Internet for
cleaning infected machines.

Sophos, for instance, has posted an automated removal tool on its Web
site,while F-Secure also has a similar tool available.

Best regards,
Marc
telnet://bbs.sursum-corda.com

-+- QuikEdit 2.41R+

--- Maximus/2 3.01