Ask the Expert

After the DoS attack deadline, the dangers of Mydoom still lurk

After Feb. 12 the deadline for the SCO attack, what danger does the Mydoom worm pose on infected computers? Also, can you tell me how I can remove Mydoom from computers on my network?

    Requires Free Membership to View

The worm installs a back-door on the infected system on TCP ports 3127 through 2198. Someone can use this back-door to do whatever comes to mind later. This is a serious threat. In the past, other worms have exploited back-doors left by previous worms. (Nimda springs to mind -- it used a back door left by Code Red.)

Therefore, it's important that you clean the machines on your network, because if you don't, you're going to regret it later. Recent versions of the usual antivirus software should take care of it. Symantec offers a specific tool to clean Mydoom. If you don't clean your network now, you may have a less pleasant surprise in a month or two, when some miscreant writes a follow-up worm. Fortunately, you can use that back door to your advantage, as well. Get a network scanning tool like Nmap. (If you don't have Nmap already, go to http://www.insecure.org/.) Then, scan ports 3127-3198 on your network. If you find them open, take a closer look. Unfortunately, just because you find that port open doesn't mean it's infected. Port 3128, for example, is used by some HTTP proxies. If you look at the file "/etc/services" on some friendly Unix box, it lists what the port assignments often are. That can help if you get puzzled.


For more info on this topic, visit these SearchSecurity.com resources:
  • Security Alert: Mydoom-A
  • Featured Topic: Best practices for patch management
  • Best Web Links: Common vulnerabilities and prevention tips

    This was first published in February 2004

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: