How to take the sting out of Mydoom

It's only February, and we've already seen this year's first major outbreak of malicious code, Mydoom.

If that isn't bad enough, this insidious worm, like many before it, has spawned several offshoots or variants. One of the most interesting aspects of this worm's propagation scheme is that it doesn't exploit any known (or even unknown) flaw in any operating system or application code.

Instead, Mydoom exploits a human flaw -- one's natural tendency to trust. Using this simple social-engineering technique, the worm arrives with one of the following file extensions -- .bat, .cmd, .exe, .pif, .scr or .zip. -- and attempts to lure the recipient, using a catchy subject line, into clicking on the attachment, thereby activating the worm. While many organizations have strict rules about opening e-mail message attachments from unknown parties, there are millions of home and small-business users who simply are unprepared for this type of trickery.

If you suspect that you may have this insidious worm wriggling it's way through your system, a handy free download can help. Network Associates, the parent company of McAfee, has put together a convenient stand-alone utility called McAfee AVERT Stinger. The Stinger utility is used to detect and remove dozens of specific viruses that have plagued us of late.

It's important to note that, according to Network Associates, "Stinger is not a substitute for full antivirus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next-generation scan-engine technology, including process scanning, digitally signed DAT files and scan performance optimizations."

Microsoft has also released its own "multipurpose" removal tool for Mydoom.A, Mydoom.B and Doomjuice. In fact, nearly every antivirus software vendor offers a free removal tool for Mydoom and/or variants of it. However, none is as cool or comprehensive as McAfee's Stinger.

To prevent the proliferation of malicious code, the Center for Information Technology for the National Institutes of Health offers the following tips:

  • Do not open e-mail attachments unless you know the sender and are expecting the attachment.
  • Do not use pirated, hacked or otherwise illegal copies of programs.
  • Do not run programs obtained from unfamiliar bulletin-board systems or from the Internet without first scanning for viruses.
  • 1pixclear.gif
    Douglas Schweitzer
    1pixclear.gif
  • Make sure you log off or lock your system when you leave your desk.
  • Back up your files frequently in case you need to restore corrupted information.
  • Use antivirus software to scan for viruses on all new software -- including any off-the-shelf product -- prior to installing it on your system.

In addition to up-to-date antivirus software, a personal firewall can also help detect the presence of malicious code. For example, computers infected by Mydoom have opened "back doors" -- TCP ports 3127 through 3198 -- with the intent of providing easy entry into infected machines. This offers further proof that a bidirectional personal firewall is a must.

According to Symantec, "while the worm will stop on February 12, 2004, the backdoor component will continue to function after this date." Therefore, it is imperative that your systems be scanned. Symantec offers numerous virus-specific removal tools on its Web site that can help remove and mitigate any resultant damage.

One final note: While e-mail attachments are handy tools for conducting business, keep in mind that e-mail attachments with the file extensions .pif, .vbs and .shs are rarely, if ever, used in normal attachments but are frequently employed by malicious code.

In the words of British statesman and philosopher Edmund Burke, "Better be despised for too anxious apprehensions, than ruined by too confident security."

Copyright © 2004 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon