Experts: Standard virus protection best way to fight Mydoom

Computerworld - Companies that are following recommended practices relating to secure e-mail use should be largely protected against the Mydoom virus and its variants, experts said.
Despite the speed with which the e-mail-borne menace has proliferated since the first variant was discovered on Monday, there's nothing about Mydoom, so far, that can't be dealt with by using antivirus, e-mail filtering and intrusion-detection technologies.
Mydoom, which is also known as Shimgapi and Novarg, started spreading earlier this week and has quickly become the most virulent e-mail virus ever.
The virus arrives as an e-mail with an attachment that can have various names and extensions, including .exe, .scr, .zip and .pif. When the attachment is executed, the worm starts sending copies of itself to other e-mail addresses stored in the infected computer. The first version of the virus, now called Mydoom.A is designed to attack The SCO Group Inc.'s Web site. A newer variant, dubbed Mydoom.B, which began surfacing earlier today, is apparently designed to enable similar denial-of-service attacks against Microsoft Corp.'s Web site. The variant also includes a feature that blocks infected computers from accessing sites belonging to vendors of antivirus products.
Companies that filter out e-mail attachments or analyze the contents of attachments are unlikely to have been affected much, said Darwin Ammala, computer security engineer for Harris Corp.'s STAT network security unit.
Bruce Hughes, director of malicious code research at TruSecure Corp.'s ICSA Labs, said about 80% of the company's clients already filter out at least five attachments that are commonly used in e-mail attacks. The remaining companies filter out even more attachments as a precaution against e-mail attacks, he said.
"From all indications, corporations of a size large enough to afford antivirus [technologies] at the e-mail gateway were unaffected," said Russ Cooper, moderator of NT Bugtraq and an analyst at Reston, Va.-based TruSecure.
Even in cases where the virus might have managed to infiltrate desktops, "most corporations will either notice, or block, outbound SMTP during such a virus outbreak" to stop the virus from spreading, Cooper said.

Several companies said that, so far, they have escaped the virus unscathed.
Online Resources Corp., a Reston-based online bill processing firm, hasn't been touched by Mydoom as yet. "We were not infected," said Hugh McArthur, information security officer at the firm. "I attribute that to a combination of keeping our antivirus products, especially at the gateways, up to date, along with a strong user awareness program."
The company also uses more than one antivirus product to add an extra layer of protection and redundancy to its virus-detection efforts, McArthur said.
Edward York, chief technology officer at 724 Inc., an application service provider in Lompoc, Calif., also said he has had few problems dealing with Mydoom so far.
"It mildly affected us beginning on Sunday evening by way of network congestion only," York said. "No servers were infected. I quickly added some filters to our mail server to filter out most of it. We still get some attachments which somehow sneak through, but we are blocking about 90% of the incidents."
Baker Hill Corp., a Carmel, Ind.-based application service provider, saw about 50 of its systems infected by Mydoom before its antivirus vendor had a fix for the worm, said Eric Beasley, senior network manager at the company.
Even so, only one user actually clicked on the attachment to activate the worm, he said. An antivirus product installed on the user's desktop quickly detected the worm and alerted administrators, Beasley said.
Since then, Baker Hill has updated its antivirus signatures. Baker Hill also uses a service provider to scan all of its e-mail for spam and has seen no evidence of Mydoom since the provider began stripping out all e-mail attachments containing the worm, he said.
"We are pleasantly surprised by how little it has affected us so far," said Trey Miller, manager of telecom services at Vertis Inc., a Baltimore-based advertising and media services company.
Vertis uses virus-protection services from Postini Inc. and has so far seen little evidence of Mydoom on its internal network, Miller said.