Neshol
Member
Registered: 10th Jul 02
Location: Midlands
User status: Offline
|
Same one as the top post in general chat. Some info:
MyDoom
MyDoom Demonstrates
a True Viral Outbreak
26 January 2004
About the Virus
A new virus, MyDoom (also called Novarg by some
vendors, Mimail.R by others), is erupting on the Internet right now.
Network Associates received 19,500 copies of the virus from over 3,400
email addresses in a single hour Monday afternoon, an extremely high
rate. MyDoom seems to have been launched today, around 1 0 PM Pacific
Standard Time. The virus presents a well-worded message advising that its
attachment was necessary because a technical error prevented normal email
transmission, a more clever social-engineering ploy than the garden
variety "Here, open this." Since this new virus carries a trojan, MyDoom
might feel appropriately named to its victims.
Distinguishing Characteristics
A MyDoom e-mail spoofs its sender so that it
appears to come from one of your friends, contacts, or a credible
institutions such as a bank or phone company. The Subject is randomized.
So far we've seen the variations below:
a.. hi
b.. hello
c.. HELLO
d.. error
e.. Mail Delivery System
f.. Mail Transaction Failed
g.. Server Report
h.. status
i.. test
j.. Test
k.. Server Request
MyDoom is so new that the anti-virus vendors have
not compiled their list of variations at the time of this writing. There
may be other Subjects we haven't listed. MyDoom's body is also random. So
far we know of these three variations:
a.. The message cannot be represented in 7-bit
ASCII encoding and has been sent as a binary attachment.
b.. The message contains Unicode characters and
has been sent as a binary attachment.
c.. Mail transaction failed. Partial message is
available.
We believe those credible bodies partly
contribute to MyDoom's suceess. They certainly sound like legitimate
errors and lead one to believe that the attached file could be the
message that your e-mail client can't display. Don't fall for it!
MyDoom uses random attachments that try to look
like documents. It uses the following extensions:
a.. .exe
b.. .scr
c.. .pif
d.. .cmd
e.. .bat
f.. .zip <-- (The zip file contains an
executable that looks like a document; e.g., doc.txt [lots of spaces]
.exe)
Although details are still developing, MyDoom
starts like most viruses. If one of your users runs the virus'
attachment, it starts by copying itself to his computer and adding
registry entries to ensure that it can restart if your user reboots. It
also harvests e-mail addresses from a number of different file types and
sends itself to others.
According to the latest breaking news, MyDoom
also seems to spread through the popular Kazaa P2P, file-sharing
application. Other reports indicate MyDoom is engineered to target SCO
for a Denial of Service attack.
Finally, MyDoom installs a backdoor by opening a
connection on TCP port 3127. This could allow the virus author access to
control an infected machine.
This virus has spread so fast that the anti-virus
vendors are still researching it. MyDoom's code is encrypted so it may
take awhile for the vendors to assess its true scope. We recommend you
intermitently check McAfee's alert for the latest developments.
What you can do
a.. As always, remind your users never to open
unexpected attachments from any source.
b.. Most major anti-virus vendors already have
signatures that detect MyDoom. Check with your vendor for the latest
update. If there is no MyDoom update, search on variant names Novarg,
Shimg, or Mimail.R, which are terms for the same virus.
c.. Firebox II / III and Vclass owners should
follow the steps below. The SMTP proxy can help.
Suggestions for SOHO owners
If you have a SOHO, your best bet to stop this
worm is to get new virus definitions from your vendor. Don't open e-mail
attachments unless they contain material you requested or expect. Scan
e-mail attachments with your anti-virus software, and open them only if
they are proven clean.
When it successfully infects a machine, MyDoom
seems to open a connection using TCP port 3127 in an attempt to allow the
virus author access to your machine. We recommend blocking this port,
both Incoming and Outgoing. To do this, connect to your SOHO and click
"Custom Service" on the left side of the screen. Name the service
whatever you want (for example, Block_MyDoom_Trojan) and add TCP port
3127 to the "Protocol Settings." Change both Incoming and Outgoing Filter
to "Deny." and Submit your changes. This will not prevent the worm from
infecting you, but it should prevent the virus' backdoor from reaching
the author.
Suggestions for Firebox II / III owners
MyDoom uses many attachment types. The Firebox II
and III's SMTP Proxy blocks most of MyDoom's attachments by default.
However, it doesn't block ZIP files by default. You can follow the steps
below to block ZIP files either temporarily or permanantly. Since MyDoom
uses different file names, blocking it requires you to block all ZIP
files. Note that this procedure stops your users from receiving any ZIP
file, whether malicious or not.
a.. If you have an SMTP Proxy icon in the
WatchGuard Policy Manager, double-click the icon, then go to Properties
tab => Incoming => Content Types tab => check for "*.zip" in the box
labeled "Deny attachments based on these file name patterns." If you see
*.zip in the list, your Firebox is configured to block this virus. If you
don't see .zip in the list, click the Add button and type *.zip.
b.. If you don't have an SMTP Proxy icon in the
WatchGuard Policy Manager, go to: Edit => Add Service => Proxies => SMTP
=> Add => OK. The newly enabled service blocks the worm by default.
When it successfully infects a machine, MyDoom
seems to open a connection using TCP port 3127 in an attempt to allow the
virus author access to your machine. We recommend blocking this port,
both Incoming and Outgoing. To do this, click "Edit => Add Service =>
New." Name the service whatever you want (e.g., Block_MyDoom_Trojan) and
click "Add." Choose TCP port 3127, and for "Client Port," choose Ignore
from the drop-down menu, and click "OK" twice to add the service to the
list of services. Now, double-click the new service to add it to your
configuration. Change both Incoming and Outgoing to "Enabled and Denied"
and press "OK." Make sure to save this change to your Firebox This change
will not prevent the worm from infecting you, but it should prevent the
virus' backdoor from reaching the author.
Suggestions for Vclass owners
Your Vclass does not block .zip files by default.
You'll have to create or adjust a custom proxy action based on
SMTP-Incoming in order to strip .zip attachments. Keep in mind, this does
prevent your users from receiving any ZIP file whether malicious or not.
If you have created your own Proxy Action based
on SMTP-Incoming, you can edit it so that it blocks all .zip files. In
the Vcontroller software, click the Proxies button and double-click your
custom proxy action. Under the Content Checking tab, change "Category" to
Attachment Filename and click either the Add to Top or Insert After
button (only one or the other will display). Next, type ZIP files as the
new rule's name, and choose "Pattern Match." Next to Pattern Match, type
*.zip and select Strip as the Action. Now you can apply this new Proxy
Action to your SMTP rule to ensure zip files are blocked.
When it successfully infects a machine, MyDoom
seems to open a connection using TCP port 3127 in an attempt to allow the
virus author access to your machine. We recommend blocking this port,
both Incoming and Outgoing. To do this, click on "Security Policy" in the
Vcontroller software. Highlight one of your services and press, "Insert."
Name the service anything you like (e. g., block.MyDoom.trojan). Choose
"Any" for Source and destination. Next to "Service" click the "New"
button. Name the new port "MyDoom.Trojan" and press "New." For Protocol,
choose TCP, and enter Server Port 3127. Press "Done" twice to get back
to the "Insert Security Policy" window. Next to Firewall, choose "Block"
and press "Done" to add the service. Finally, press "Apply" to add the
service to your Vclass Firebox. This change will not prevent the worm
from infecting you, but it should prevent the virus' backdoor from
reaching the author.
References:
McAfee description of MyDoom
Symantec description of Novarg
ComputerWorld write-up
Credits: Researched by Corey Nachreiner.
Written by Corey Nachreiner and Scott Pinzon.
|
