| |
 Several New Email Worm Are Propagating Across the Internet
The Email worm known as Novarg or MyDoom is causing heavy email traffic and affecting mail delivery world wide.
For more technical information on this worm including removal tools, click here.
A technical note dealing with the more recent W32.Sober.X worm can be found here.
Also known as MyDoom.B [F-Secure], W32/MyDoom.b@MM [McAfee], WORM_MYDOOM.B [Trend], Win32.MyDoom.B [Computer Associates], I-Worm.MyDoom.b [Kaspersky], W32/MyDoom-B [Sophos],
Variants: W32.MyDoom.A@mm, W32.Novarg.A@mm
The best defenses against this worm are to incorporate the following steps (assuming you are running FirstClass Server and Internet Services version 7.1, or later).
Please consult the FirstClass Administrators Guide or FirstClass Internet Services Guide located from your servers' Online Help before contacting support regarding these steps:
1. Restrict vulnerable attachment types
Restrict the following attachment types (see list below) at the permission group and/or Internet Services level (rules.attachmentblock, located in the Filters Folder). Please note that changes to rules.attachmentblock will require you to either restart Internet Services, or to press the 'Get Config'/'Reload Configuration" button located on your Internet Monitor. Notification that these attachment types are being blocked should be made to your users or in your site's end user support documentation. Due to the nature of email worms, this is not a comprehensive list but should minimize the email worm's effect. For more information on new variants, and additional file extension, please review your Anti-Virus providers information page, for example www.sarc.com
*.scr
*.com
*.emc
*.dll
*.vbx
*.ocx
*.vbs
*.inf
*.reg
*.pif
*.bad
*.jpg.scr
*.jpg.pif
*.jpg.exe
*.gif.exe
*.gif.pif
*.gif.scr
data.zip
document.zip
readme.zip
doc.zip
text.zip
file.zip
test.zip
message.zip
body.zip
doom2.doc.pif
sex sex sex sex.doc.exe
rfc compilation.doc.exe
dictionary.doc.exe
win longhorn.doc.exe
e.book.doc.exe
programming basics.doc.exe
how to hack.doc.exe
max payne 2.crack.exe
e-book.archive.doc.exe
virii.scr
nero.7.exe
eminem - lick my pussy.mp3.pif
cool screensaver.scr
serial.txt.exe
office_crack.exe
hardcore porn.jpg.exe
angels.pif
porno.scr
matrix.scr
photoshop 9 crack.exe
strippoker.exe
dolly_buster.jpg.pif
winxp_crack.exe
Microsoft WinXP Crack.exe
Teen Porn 16.jpg.pif
Adobe Premiere 9.exe
Adobe Photoshop 9 full.exe
Best Matrix Screensaver.scr
Porno Screensaver.scr
Dark Angels.pif
XXX hardcore pic.jpg.exe
Microsoft Office 2003 Crack.exe
Serials.txt.exe
Screensaver.scr
Full album.mp3.pif
Ahead Nero 7.exe
Virii Sourcecode.scr
E-Book Archive.rtf.exe
Doom 3 Beta.exe
How to hack.doc.exe
Learn Programming.doc.exe
WinXP eBook.doc.exe
Win Longhorn Beta.exe
Dictionary English - France.doc.exe
RFC Basics Full Edition.doc.exe
1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
Keygen 4 all appz.exe
Windows Sourcecode.doc.exe
Norton Antivirus 2004.exe
Gimp 1.5 Full with Key.exe
Partitionsmagic 9.0.exe
Star Office 8.exe
Magix Video Deluxe 4.exe
Clone DVD 5.exe
MS Service Pack 5.exe
ACDSee 9.exe
Visual Studio Net Crack.exe
Cracks & Warez Archive.exe
WinAmp 12 full.exe
DivX 7.0 final.exe
Opera.exe
IE58.1 full setup.exe
Smashing the stack.rtf.exe
Ulead Keygen.exe
Lightwave SE Update.exe
The Sims 3 crack.exe
2. Report
Report at least some of the external IPs that are propagating the worm to their respective postmasters via the Internet WHOIS tool.
3. Protect workstations
Ensure that your users' workstations are protected using active antivirus software (however this should not be the case on the FirstClass Server, click here for details).
4. Warn users about suspicious subjects and configure mail rules
Advise your users to be suspicious of attachment in emails with the following subjects (due to the nature of email worms, this is not a comprehensive list but should minimize the email worm's effect).
Returned mail
Delivery Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
You could also add the following rules to the rules.mailrules file in Filters of Internet Services to reject emails with these Novarg-related subjects with a custom NDN message like the following (due to general nature of the subjects, please note that these rules could block legitimate email):
Subject: regexp:"^hi$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^hello$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^test$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^Status$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^Error$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^Delivery Error$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^Server Report$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^Mail Transaction Failed$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
Subject: regexp:"^Mail Delivery System$" NDN "550 Sorry, your message has been refused because the Subject line matches the Novarg/MyDoom worm"
NB: ^ means that the subject starts with, and $ means that it ends with. for example, ^hi$, says the subject starts with, and ends with hi. Remember to close the rules.mailrules document, and click on the Get Config button located on the Internet Monitor for the changes to take effect.
5. Educate end users
This step should not be underestimated. Advise your users on the risks of opening unknown attachments, attachments that are unexpected, especially those originating from an unknown email address. An informed user base can be more effective than any anti-virus gateway, attachment block, or email rule.
6. Reject inbound email FROM your domain
CAVEAT : READ THIS FIRST BEFORE DECIDING TO IMPLEMENT THIS STEP
If you use multiple email servers (in addition to your FirstClass server) at your site, disregard this step.
If you use relayed IPs (i.e. +10.10.10.5 in the Sample file in Filters), disregard this step.
Please note that the following instructions will bar ANY inbound SMTP email as FROM yourdomain.com.
This will NOT affect internal email from or to your local users. This will only affect functionality if your users use third party clients (such as Outlook or Eudora) to send email or if your users try to reply to them, which for security reasons they should be dissuaded from using. In addition this will affect functionality if you use a third party tool to send notifications to your users using the admin internet address, in that case switch to a different unique address AND domain for the notifications.
Open the Sample filter file in the Filters folder of Internet Services (on the admin desktop) and add the internet domain of your site (i.e. yourdomain.com) to the Sample filter file on a line by itself. Close the Sample filter file, open the Internet Services monitor and click on the Get Config button (if using a 7.112 client, click on the CONTROL tab of the Internet Monitor and click on Reload Config).
7. Add a receive rule to the admin mailbox to filter NDN messages
If you are experiencing an abnormaly high number of NDN messages in the admin mailbox due to these worms, you could add a receive rule to the admin's mailbox to file these NDNs in a conference that you create within the mailbox and then have the conference limited to 1000 items. That way you will have a record of the past 1000 NDNs should you need their information (i.e. to troubleshoot a legitimate NDN).
Please note that these steps will not eliminate the traffic impact but should minimize it.
| ||