Zone Labs Home Security you can trust.
Search Site
    
  
 
Home/Office Products
Download & Buy
Enterprise Solutions
Service & Support
Partner Programs
About Zone Labs LLC
 
Home
Site Map
Privacy Policy
Contact Us

 

Zone Labs Security Advisory Severity: High

MyDoom.A Worm

Overview: Zone Labs has identified a new mass-mailing worm referred to as MyDoom rapidly spreading across the Internet. MyDoom has been classified as "High Risk"—end users should use extreme caution when opening suspicious email.

Date Published: January 26, 2004
Last Update: January 27, 2004

Impact: Upon execution the worm copies itself to several files:

  • c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
  • c:\WINDOWS\Desktop\Document.scr
  • %sysdir%\taskmon.exe
  • %sysdir%\shimgapi.dll

and modifies at least one registry key on the infected host:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon = "%System%\taskmon.exe"

MyDoom also attempts to open TCP port 3127 on the local machine. ZoneAlarm® users will receive a "ZoneAlarm Alert" if this worm infects their host and attempts to open TCP port 3127. When prompted, the Zone Labs user can select “No” to deny this application server access to the local machine.

Platforms Affected: Microsoft Windows operating systems: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, and Windows XP.

Description: The worm email has the following properties:

From: (Spoofed source address)
Subject: (Random)
Body: (Single-line spoofed error message)
The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

File Extension: .bat, .exe, .pif, .scr, .zip
File size: 22,528 bytes

[Note: The From: line is spoofed, meaning it can contain any email address, not necessarily the email address of the sender.]

The MyDoom worm spreads via email and file sharing networks. The worm employs a random subject line, source address and email body to confuse the intended victim. Upon infection, the worm copies itself to several files, modifies several registry keys and attempts to open TCP port 3127 on the infected host. It also executes notepad and fills it with characters. By using what appears to be an email error message, the worm may further confuse victims and be somewhat more difficult to identify.

Zone Labs Products: End users should employ ZoneAlarm Plus or ZoneAlarm Pro to ensure the most comprehensive protection. Outbound MailSafe Protection as well as Program Control will prevent the worm from propagating or connecting to other systems.

While the free version of ZoneAlarm can prevent an infected host from further exploitation by not allowing the worm to open TCP port 3127, it does not provide the enhanced MailSafe Protection. Users of the free ZoneAlarm should consider upgrading to ZoneAlarm Pro to take advantage of MailSafe features.

Recommended Actions

ZoneAlarm® Plus and ZoneAlarm® Pro Users:

  • Closely monitor new applications requesting server access on TCP port 3127.
  • Do not permit any rogue process to transmit e-mail messages:
      — Application: taskmon.exe Destination IP: Any: 25/TCP
  • Ensure Inbound/Outbound MailSafe protection is enabled within ZoneAlarm Plus or ZoneAlarm Pro.
  • Add *.zip to the list of attachment extensions to block within ZoneAlarm Plus/Pro.
  • Update antivirus products to provide the most up-to-date protection.
  • Extreme care should be taken when opening any email attachment.

ZoneAlarm Free Users:

  • Closely monitor new applications requesting server access on TCP port 3127.
  • Do not permit any rogue process to transmit e-mail messages:
      — Application: taskmon.exe Destination IP: Any: 25/TCP
  • To enable MailSafe protections, consider upgrading to ZoneAlarm Pro.
  • Update antivirus products to provide the most up-to-date protection.
  • Extreme care should be taken when opening any email attachment.

Users of POP3 or IMAP based mail software such as Outlook, Outlook Express or Eudora should enable Inbound and Outbound MailSafe Protection in ZoneAlarm Pro or Integrity. Note that Inbound MailSafe Protection is normally enabled by default. End users should add blocking for the .zip extension. Users of the free ZoneAlarm should consider upgrading to ZoneAlarm Pro to take advantage of MailSafe features.

ZoneAlarm, ZoneAlarm Plus, ZoneAlarm Pro, and Integrity users should not allow a program with a random 3 to 8 digit name to act as a server on port 3127.

Related Resources:

Contact: Zone Labs customers who are concerned about these vulnerabilities or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp. To report security issues with Zone Labs products contact security@zonelabs.com.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Copyright: ©2004 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs LLC Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs.

 

    Home    Home/Office Products     Download & Buy     Enterprise Solutions     Service & Support     Partner Programs     About Zone Labs  

©1999-2006 Zone Labs LLC All rights reserved.