"MyDoom"
Virus Alert
aka W32.Novarg.A@mm"
(Symantec) and "WORM_MIMAIL.R" (Trend Micro)
Virus Alert - January 26, 2004
A new computer worm/virus
detected Monday afternoon is spreading VERY rapidly. Most Windows systems
are vulnerable.
According to McAfee,
the "MyDoom" worm -- also known as "W32.Novarg.A@mm"
(Symantec) and "WORM_MIMAIL.R" (Trend Micro) uses a variety
of different subject headings, and "spoofs" addresses (i.e.
messages appear to be sent by people you know).
At least one version
of the worm warns that there's a problem with the message, and urges
you to click on the attached file to read the complete message. Naturally,
this activates the virus.
Like most Windows
worms and viruses, the "MyDoom" worm is spread by email. When
activated, the worm sends itself by email as a file attachment. When
the unsuspecting person at the other end clicks on the attached file,
the worm infects the machine and spreads.
If you're using
anti-virus software, update your virus definitions as soon as possible
to avoid infection. Meanwhile, be sure not to open any uninvited file
attachments sent by email.
How can you defend
your computer against virus and worm attacks
1. Beware File
Attachments
Never open an "attached" file that arrives unexpectedly, even
if it appears to be from someone you know. This is the most common way
computer viruses are spread. Unless you are expecting to receive a file
by email (e.g. family photos, or a document sent from work), you should
be wary of any unsolicited attached file.
2. Install anti-virus
software
These programs are designed to detect and quarantine known viruses and
worms before they can infect your PC. Check out Norton Anti-Virus (Symantec)
and PC-Cillin (Trend Micro).
3. Keep virus
definitions updated
When new viruses and worms are detected, anti-virus software must be
updated, to prevent future attacks. If your software doesn't know about
the virus, it can't block it!
The shimgapi.dll
file is injected into the EXPLORER.EXE process if the system has been
rebooted after the infection has occured. In this situation, a
reboot and rescan is required to remove this DLL from the system.
Alternatively, following
EXTRA.DAT packages are available.
Modifications made
to the system Registry and/or INI files for the purposes of hooking
system startup will be successfully removed if cleaning with the recommended
engine and DAT combination (or higher).
Stinger Stinger
1.97 has been made available to assist in detecting and repairing
this threat. Please note to ensure complete repair a reboot is
required after running Stinger.
McAfee Security Desktop Firewall To prevent possible remote access McAfee Desktop Firewall
users can block incoming TCP port 3127.
ThreatScan
users
The latest ThreatScan signature (2004-01-27) includes detection
of the Mydoom virus. This signature is available for ThreatScan v2.0,
v2.1, and v2.5.
ThreatScan users
can also detect the backdoor portion of the virus by running a "Resource
Discovery" task utilizing the port scanning options.
To update your ThreatScan
installations with the latest signatures perform the following tasks:
From within ePO
open the "Policies" tab.
Select "McAfee
ThreatScan" and then select "Scan Options"
In the pane below
click the "Launch AutoUpdater" button.
Using the default
settings proceed through the dialogs that appear. Upon successful
completion of the update a message will appear stating that; update
2004-01-27 has completed successfully.
From within ePO
create a new "AutoUpdate on Agent(s)" task.
Go into the settings
for this task and ensure that the host field is set to ftp.nai.com, the path is set to /pub/security/tsc20/updates/winnt/
and that the user and password fields are both set to ftp. Note that
"tsc20" in the above path is used for ThreatScan 2.0 and 2.1. The
correct path for ThreatScan 2.5 is "tsc25".
Launch this task
against all agent machines.
When the task(s)
complete information will be available in the "Task Status Details"
report.
To create and
execute a new task containing the new update functionality, do the
following:
- Create
a new ThreatScan task.
- Edit the
settings of this task.
- Edit the
"Task option", "Host IP Range" to include all desired machines
to scan.
To
scan for the virus:
Select the
"Remote Infection Detection" category and "Windows Virus Checks"
template. -or-
Select the
"Other" category and "Scan All Vulnerabilities" template.
To create and
execute a new task to perform a port scan, do the following:
Create a
new Resource Discovery task.
Edit the
settings of this task.
Edit the
"Task option", "Host IP Range" to include all desired machines
to scan.
