Best practices for cleaning up Mydoom mess |
 |
By Michael S. Mimoso, Senior News Editor
27 Jan 2004 | SearchSecurity.com |
|
|
Most antivirus packages have been updated to combat the virile Mydoom-A worm that spread at an alarming rate overnight. Enterprise e-mail and network administrators, however, should follow several best practices to cleanse their systems and prevent further infections.
Mydoom, also called Novarg-A by Symantec Security Response and Mimail-R by Trend Micro, is a mass-mailing worm that also spreads via the Kazaa peer-to-peer file-sharing and is triggered to launch a denial-of-service attack against the Web site of Linux scourge, The SCO Group.
It also opens two ports, 3127 and 3198, a clear sign of infection. The open ports could give an attacker access to network resources or enable him to execute arbitrary code.
Experts are advising administrators to ensure that their antivirus signatures are updated to include the pattern file that combats Mydoom-A.
In the meantime, admins are advised to block executable files at the gateway that do not have a business function. Mydoom travels as an executable attached to an e-mail or compressed in a zip file, which many enterprises allow through their gateways. Inside, however, the worm's file extension varies and could arrive as a bat, .exe, .pif, .cmd, or .scr. Blocking any of these extensions is a viable workaround, experts said.
Content filtering for the worm would be difficult because it uses many different subject lines and message bodies. It sometimes uses "Hi," "Hello," and "TEST" as subject lines but blocking these messages would result in many false positives.
"People commonly use those subject lines," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC. "Plus it can use random subjects as well."
Administrators should note that if the worm is executed, it drops a copy of itself into the Windows System director as taskmon.exe. It also changes the registry to HKEY_LOCAL_MACHINE=>Software=>Microsoft=>Windows=>CurrentVersion=>Run "TaskMon" = %SysDir%=>taskmon.exe to enable it to run at startup.
Mydoom also drops a DLL in the Windows System directory called shimgapi.dll that is injected into the Explorer.exe process upon reboot. Admins must reboot systems and terminate the Explorer.exe process, according to Network Associates.
Mydoom also drops a copy of itself into the Kazaa peer-to-peer file-sharing program's shared directory. If administrators know Kazaa is installed on their networks, they should search for the following file names and delete them: nuke2004; office_crack; rootkitXP; strip-girl-2.0bdcom_patches; activation_crack; icq2004-final; winamp.
FEEDBACK: Share your best practices in combatting large outbreaks like Mydoom-A.
Send your feedback to the SearchSecurity.com news team.
|
