 |
Severity: High |
MyDoom.B Worm
Overview: Zone Labs has identified a MyDoom worm variant referred to as MyDoom.B. Like the original MyDoom mass-mailing worm, MyDoom.B has been classified as "High Risk"—end users should use extreme caution when opening suspicious e-mail.
Date Published: January 28, 2004
Last Update: January 28, 2004
Impact: MyDoom.B attempts to overwrite the host file, preventing access to numerous websites. ZoneAlarm, ZoneAlarm Pro, and ZoneAlarm Plus versions 4.5 and newer provide host file protection. Once enabled, this feature will not allow MyDoom.B to modify the host file. To enable host file protection within our software:
- Open the ZoneAlarm interface
- Browse to Firewall > Main and select "Advanced"
- Under "General Settings" select (add checkmark) "Lock host file"
Upon execution, the worm creates at least one new file:
modifies at least one registry key on the infected host:
- HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = "%System%\ctfmon.dll"
and attempts to open and listen on one of the following TCP ports:
- 1080/TCP
- 3128/TCP
- 80/TCP
- 10080/TCP
ZoneAlarm® users will receive a "ZoneAlarm Alert" if this worm infects their host and attempts to open a single port in this TCP port range. When prompted, Zone Labs users can select "No" to deny this application server access to the local machine.
Platforms Affected: Microsoft Windows operating systems: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows Server 2003, and Windows XP.
Description: The worm email has the following properties:
From: (Spoofed source address)
Subject: (Random)
Body: (Single-line spoofed error message)
The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
File Extension: .bat, .cmd, .exe, .pif, .scr, .zip
[Note: The From: line is spoofed, meaning it can contain any email address, not necessarily the email address of the sender.]
The MyDoom.B worm spreads via e-mail and file sharing networks. The worm employs a random subject line, source address and e-mail body to confuse the intended victim. Upon infection, the worm copies itself to several files, modifies several registry keys and attempts to open a single TCP port on the infected host.
Zone Labs Products: End users should employ ZoneAlarm Plus, or ZoneAlarm Pro to ensure the most comprehensive protection. Outbound MailSafe Protection as well as Program Control will prevent the worm from propagating or connecting to other systems. Furthermore, ZoneAlarm host file protection will prevent the host file from modification.
While the free version of ZoneAlarm can prevent an infected host from further exploitation by protecting the local host file and not allowing the worm to act as a TCP server, it does not provide the enhanced MailSafe Protection. Users of the free version of ZoneAlarm should consider upgrading to ZoneAlarm Pro to take advantage of MailSafe features.
Recommended Actions
ZoneAlarm® Plus and ZoneAlarm® Pro Users:
- Enable ZoneAlarm host file protection.
- Closely monitor applications requesting server access on TCP ports listed above.
- Do not permit any rogue process to transmit e-mail messages:
— Application: [random]; Destination IP: Any: 25/TCP
- Ensure Inbound/Outbound MailSafe protection is enabled within ZoneAlarm Plus or ZoneAlarm Pro.
- Add *.zip to the list of attachment extensions to block within ZoneAlarm Plus/Pro.
- Update antivirus products to provide the most up-to-date protection.
- Extreme care should be taken when opening any email attachment.
ZoneAlarm Users:
- Enable ZoneAlarm host file protection.
- Closely monitor applications requesting server access on TCP ports listed above.
- Do not permit any rogue process to transmit e-mail messages:
— Application: [random]; Destination IP: Any: 25/TCP
- To enable MailSafe protections, consider upgrading to ZoneAlarm Pro.
- Update antivirus products to provide the most up-to-date protection.
- Extreme care should be taken when opening any email attachment.
Users of POP3 or IMAP based mail software such as Outlook, Outlook Express or Eudora should verify Inbound and Outbound MailSafe Protection is enabled within ZoneAlarm Pro or Integrity. Users of the free version of ZoneAlarm should consider upgrading to ZoneAlarm Pro to take advantage of MailSafe features.
ZoneAlarm, ZoneAlarm Plus, ZoneAlarm Pro, and Integrity users should not allow a program with a random 3 to 8 digit name to act as a server on the TCP ports listed above (see Section: Impact).
Related Resources:
- Computer Associates - cleaning utility available
http://www3.ca.com/virusinfo/virus.aspx?ID=38114
Contact: Zone Labs customers who are concerned about these vulnerabilities or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp. To report security issues with Zone Labs products contact security@zonelabs.com.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Copyright: ©2004 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs LLC Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs.
|
