ABOUT THE VIRUS
A new virus, MyDoom (also called Novarg by some vendors, Mimail.R by others), is erupting on the Internet right now. Network Associates received 19,500 copies of the virus from over 3,400 email addresses in a single hour Monday afternoon, an extremely high rate. MyDoom seems to have been launched today, around 1:00 PM Pacific Standard Time. The virus presents a well-worded message advising that its attachment was necessary because a technical error prevented normal email transmission, a more clever social-engineering ploy than the garden variety “Here, open this.” Since this new virus carries a trojan, MyDoom might feel appropriately named to its victims.
A MyDoom e-mail spoofs its sender so that it appears to come from one of your friends, contacts, or a credible institutions such as a bank or phone company. The Subject is randomized. So far we’ve seen the variations below:
~ Mail Delivery System
~ Mail Transaction Failed
~ Server Report
~ Server Request
MyDoom is so new that the anti-virus vendors have not compiled their list of variations at the time of this writing. There may be other Subjects we haven’t listed. MyDoom’s body is also random. So far we know of these three variations:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
We believe those credible bodies partly contribute to MyDoom’s suceess. They certainly sound like legitimate errors and lead one to believe that the attached file could be the message that your e-mail client can’t display. Don’t fall for it!
MyDoom uses random attachments that try to look like documents. It uses the following extensions:
.zip <-- (The zip file contains an executable that looks like a document; e.g., doc.txt [lots of spaces] .exe)
Although details are still developing, MyDoom starts like most viruses. If one of your users runs the virus’ attachment, it starts by copying itself to his computer and adding registry entries to ensure that it can restart if your user reboots. It also harvests e-mail addresses from a number of different file types and sends itself to others.
According to the latest breaking news, MyDoom also seems to spread through the popular Kazaa P2P, file-sharing application. Other reports indicate MyDoom is engineered to target SCO for a Denial of Service attack.
Finally, MyDoom installs a backdoor by opening a connection on TCP port 3127. This could allow the virus author access to control an infected machine.
This virus has spread so fast that the anti-virus vendors are still researching it. MyDoom’s code is encrypted so it may take awhile for the vendors to assess its true scope. We recommend you intermitently check McAfee’s alert for the latest developments.
WHAT YOU CAN DO
As always, remind your users never to open unexpected attachments from any source.
Most major anti-virus vendors already have signatures that detect MyDoom. Check with your vendor for the latest update. If there is no MyDoom update, search on variant names Novarg, Shimg, or Mimail.R, which are terms for the same virus.
Firebox II / III and Vclass owners should follow the steps below. The SMTP proxy can help.
Suggestions for SOHO owners
If you have a SOHO, your best bet to stop this worm is to get new virus definitions from your vendor. Don’t open e-mail attachments unless they contain material you requested or expect. Scan e-mail attachments with your anti-virus software, and open them only if they are proven clean.
When it successfully infects a machine, MyDoom seems to open a connection using TCP port 3127 in an attempt to allow the virus author access to your machine. We recommend blocking this port, both Incoming and Outgoing. To do this, connect to your SOHO and click “Custom Service” on the left side of the screen. Name the service whatever you want (for example, Block_MyDoom_Trojan) and add TCP port 3127 to the “Protocol Settings.” Change both Incoming and Outgoing Filter to “Deny.” and Submit your changes. This will not prevent the worm from infecting you, but it should prevent the virus’ backdoor from reaching the author.
Suggestions for Firebox II / III owners
MyDoom uses many attachment types. The Firebox II and III’s SMTP Proxy blocks most of MyDoom’s attachments by default. However, it doesn’t block ZIP files by default. You can follow the steps below to block ZIP files either temporarily or permanantly. Since MyDoom uses different file names, blocking it requires you to block all ZIP files. Note that this procedure stops your users from receiving any ZIP file, whether malicious or not.
If you have an SMTP Proxy icon in the WatchGuard Policy Manager, double-click the icon, then go to Properties tab => Incoming => Content Types tab => check for “*.zip” in the box labeled “Deny attachments based on these file name patterns.” If you see *.zip in the list, your Firebox is configured to block this virus. If you don’t see .zip in the list, click the Add button and type *.zip.
If you don’t have an SMTP Proxy icon in the WatchGuard Policy Manager, go to: Edit => Add Service => Proxies => SMTP => Add => OK. The newly enabled service blocks the worm by default.
When it successfully infects a machine, MyDoom seems to open a connection using TCP port 3127 in an attempt to allow the virus author access to your machine. We recommend blocking this port, both Incoming and Outgoing. To do this, click “Edit => Add Service => New.” Name the service whatever you want (e.g., Block_MyDoom_Trojan) and click “Add.” Choose TCP port 3127, and for “Client Port,” choose Ignore from the drop-down menu, and click “OK” twice to add the service to the list of services. Now, double-click the new service to add it to your configuration. Change both Incoming and Outgoing to “Enabled and Denied” and press “OK.” Make sure to save this change to your Firebox This change will not prevent the worm from infecting you, but it should prevent the virus’ backdoor from reaching the author.
Suggestions for Vclass owners
Your Vclass does not block .zip files by default. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .zip attachments. Keep in mind, this does prevent your users from receiving any ZIP file whether malicious or not. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks all .zip files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type ZIP files as the new rule’s name, and choose “Pattern Match.” Next to Pattern Match, type *.zip and select Strip as the Action. Now you can apply this new Proxy Action to your SMTP rule to ensure zip files are blocked.
When it successfully infects a machine, MyDoom seems to open a connection using TCP port 3127 in an attempt to allow the virus author access to your machine. We recommend blocking this port, both Incoming and Outgoing. To do this, click on “Security Policy” in the Vcontroller software. Highlight one of your services and press “Insert.” Name the service anything you like (e. g., block.MyDoom). Choose “Any” for Source and destination. Next to “Service” click the “New” button. Name the new port “MyDoom.Trojan” and press “New.” For Protocol, choose TCP, and enter Server Port 3127. Press “Done” twice to get back to the “Insert Security Policy” window. Next to Firewall, choose “Block” and press “Done” to add the service. Finally, press “Apply” to add the service to your Vclass Firebox. This change will not prevent the worm from infecting you, but it should prevent the virus’ backdoor from reaching the author.