How To Protect Against MyDoom

As the MyDoom worm blasts through the Internet, enterprises and individuals can take steps to protect against its infection, according to a security expert from Symantec's security-response team.

Alfred Huger, the senior director of engineering with Symantec's virus-watch group, suggested that organizations filter at the gateway for MyDoom's various subject headings. They include: test, hi, hello, Mail Delivery System, Mail Transaction Failed, Server Report, Status, and Error.

"Start dropping mail with those subject lines immediately," Huger recommended. But because filtering for those generic subject headings may also drop some valid messages, organizations should be prepared to cull the deferred messages before deletion, he said.

Other tactics users and companies can take include the typical--update virus definitions at both the gateway and on desktops--and the unusual. "Make sure that no one in the enterprise is using Kazaa," he said, noting that MyDoom can spread through that peer-to-peer software as well as via E-mail.

Like other recent worms, MyDoom can disguise its payload as any number of file types. But while most are automatically blocked by newer versions of E-mail clients, such as the popular Microsoft Outlook, some aren't, most notably the .zip extension.

"Enterprises should block .zip attachments at the gateway," Huger said, "unless these types of files have a legitimate business purpose."

Additionally, MyDoom contains a backdoor that listens to commands on a series of TCP ports, Huger said. One function of this backdoor is an entry by hackers into infected systems--attackers can use it to send and run other malicious code on the compromised machine--but another purpose is to relay network connections, in effect adding the system to a collection of proxies for later spam and/or worm transmission.

To slam shut this backdoor, Huger advised organizations and users to block inbound TCP traffic on ports 3127 through 4000.

While many antivirus firms have updated their software to account for MyDoom--including Huger's Symantec--so that the worm is automatically detected and destroyed, there are some tools available on the Internet for cleaning infected machines.

Sophos, for instance, has posted an automated removal tool on its Web site, while F-Secure also has a similar tool available.