ALERT - TSA 04-001

TSA 04-001 - Win32.Mydoom@MM

Current Assessment: HOT
Initial Assessment: HOT
Current Assessment Date: January 26, 2004
Time:22:00 UTC
Initial Assessment Date: January 26, 2004
Time:22:00 UTC

Threat:
This is a new mass mailer worm that appears to be spreading quickly and will likely get significant traction due to the vector of traveling via a .zip file. Also, most AV products do not detect this worm without updating the signature file.

Vulnerability Prevalence:
High - Many organizations and most home users do not block incoming zip files and this will lead to the spread of this worm.

Cost:
Moderate - At this time cost appears to be mostly clean-up related, therefore cost is moderate.

Summary:
This new mass mailer worm MyDoom is arrives as an e-mail attachment that appears to be a text file. Reports indicate that this worm is spreading rapidly in the wild. Virus definitions are available.

MITIGATIONS:
1. TruSecure recommends blocking .zip and executable attachments (including: .exe, .pif, .cmd, .scr) at the mail gateway.
2. TruSecure also recommends that companies block port 3127/tcp both in-bound and out-bound.
3. Updating your anti-virus signatures is also recommended.

Description
- ---------------------------------
Worm/MyDoom is a worm that spreads via e-mail and arrives on the system as a .zip or executable file that appears to be a text file.

The worm arrives in an e-mail with a spoofed From: field, and random Subject: and Body: lines. The file name of the attachment varies, as does the extension. The worm may arrive as an executable file bundled in a .zip archive. The possible file extensions that the worm may use are .exe, .pif, .cmd and .scr. Worm/MyDoom uses an icon for this file that makes it appear to be a text file.

When the worm executes, it copies itself to the \%System% directory as the files taskmon.exe and shimgapi.exe. It also copies itself as the file C:\Program Files\KaZaA\My Shared Folder\activation_crack.scr. The worm may also open Notepad, displaying random characters.

The worm adds the value TaskMon = “\%System%\taskmon.exe�Eto the following registry key to ensure that it executes each time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm opens port 3127/tcp, and may perform a distributed denial of service (DDoS) attack against "www.sco.com."

Users are advised to block port 3127/tcp and to filter .exe, .pif, .cmd, .scr and .zip files.

DISCLAIMER:
Copyright 2004 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS.�EThe TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.