TIP: Click on subject to list as thread! ANSI
echo: virus
to: ALL
from: Marc Lewis
date: 2004-01-29 00:45:04
subject: Protect against MyDoom worm...
Path: intern1.nntp.aus1.giganews.com!internal1.nntp.ash.giganews.com!border2.nntp.ash.giganews.com!border1.nntp.ash.giganews.com!nntp.giganews.com!newsfeed.tpinternet.pl!news.atman.pl!news.intercom.pl!f124.n480!f127.n480!f112.n480!f200.n2432!f605.n774!f500.n123!f2000.n106!f45.n396!not-for-mail
Newsgroups: fido.virus
Distribution: fido
From: Marc Lewis 
Date: Thu, 29 Jan 04 00:45:04 +0100
Subject: Protect against MyDoom worm...
Message-ID: 
Organization: Sursum Corda! BBS-New Orleans 1-504-897-6006 USR33k6
 2432/0
Lines: 59
Xref: intern1.nntp.aus1.giganews.com fido.virus:132


 January 27, 2004

How To Protect Yourself Against Mydoom


By Gregg Keizer        Courtesy of TechWeb News

As the Mydoom worm blasts through the Internet, enterprises and individuals can
take steps to protect against its infection, according to a security expert from
Symantec's security response team.

Alfred Huger, the senior director of engineering with Symantec's virus watch
group, suggested that organizations filter at the gateway for Mydoom's various
subject headings. They include: test, hi, hello, Mail Delivery System, Mail
Transaction Failed, Server Report, Status, and Error.

"Start dropping mail with those subject lines immediately," recommended Huger.
But because filtering for those generic subject headings may also drop some
valid messages, organizations should be prepared to cull the deferred messages
before deletion, he said.

Other tactics users and companies can take include the typical -- update virus
definitions at both the gateway and on desktops -- and the unusual. "Make sure
that no one in the enterprise is using Kazaa," he said, noting that Mydoom can
spread through that peer-to-peer software as well as via e-mail.

Like other recent worms, Mydoom can disguise its payload as any number of file
types. But while most are automatically blocked by newer versions of e-mail
clients, such as the popular Microsoft Outlook, some are not, most notably the
.zip extension.

"Enterprises should block .zip attachments at the gateway," said Huger,"unless
these types of files have a legitimate business purpose."

Additionally, Mydoom contains a backdoor that listens to commands on a series
of TCP ports, said Huger. One function of this backdoor is an entry by hackers
into infected systems -- attackers can use it to send and run other malicious
code on the compromised machine -- but another purpose is to relay network
connections, in effect adding the system to a collection of proxies for later
spam and/or worm transmission.

To slam shut this backdoor, Huger advised organizations and users to block
inbound TCP traffic on ports 3127 through 4000.

While many anti-virus firms have updated their software to account for Mydoom
-- including Huger's Symantec -- so that the worm is automatically detected and
destroyed, there are some tools available on the Internet for cleaning infected
machines.

Sophos, for instance, has posted an automated removal tool on its Web
site,while F-Secure also has a similar tool available.

Best regards,
Marc
telnet://bbs.sursum-corda.com

-+- QuikEdit 2.41R+
SOURCE: echoes via archive.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.