NOVELL: Stop W32/Mydoom Mass Mailing Worm before it hits GroupWise (GroupWise Cool Solutions)

[an error occurred while processing this directive]

Stop W32/Mydoom Mass Mailing Worm before it hits GroupWise

GroupWise Cool Solutions Article
by The Messaging Architects

Posted: 28 Jan 2004

::: The Messaging Architects Security Alert :::

=========================================================
Stop W32/Mydoom Mass Mailing Worm before it hits GroupWise
=========================================================

A powerful worm virus known variously as W32/Mydoom, W32/Novarg.A, W32/Shimg, or W32/Mimail.R is devastating personal and corporate email systems across the globe. When run, the worm steals email addresses from the infected machine and also automatically generates random email addresses for propagation. This email generation engine is similar to technologies spammers use to generate addresses for spam email campaigns. W32/Mydoom also attempts to open a port on an infected PC, allowing a remote hacker to gain control of the system.

Installing an email firewall such as GWGuardian can protect your organization - Download a fully functional trial copy at http://www.messagingarchitects.com/gwguardianee/?CID=1090

EMAIL CHARACTERISTICS

W32/Mydoom worm can be defeated by blocking subject lines and attachment types listed below. GWGuardian's protocol filter analyzes the message header content and rejects suspicious email messages before it is even accepted by GWIA.

{Randomly generated}
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi

Attachment:
{Randomly generated}
The icon used by the file tries to make it appear as if the attachment is a text file. The attachment type varies [.exe, .bat .pif, .cmd, .scr] - often arrives in a ZIP archive), though the attachment size is 22,528 bytes.

{Spoofed -- may appear to be from someone you know.}

Body:
Varied: (examples)

"The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

"The message contains Unicode characters and has been sent as a binary attachment."

"Mail transaction failed. Partial message is available."

HOW DO YOU KNOW IF YOU'VE BEEN INFECTED?

Upon executing the virus, Notepad is opened, filled with nonsense characters.

Existence of the files and registry entry listed on the Virus Profile page.

HOW DO YOU CLEAN YOUR SYSTEM?

Update your anti-virus software and run a full scan of your system. Always ensure your virus definition definition files are current. You can also use McAfee's effective removal tool: http://vil.nai.com/vil/stinger/

The following Novell TIDs describe how to purge infected messages from your PO using the GWCheck item purge feature. Although these TIDs were written to remove Code Red, the same measures apply for W32/Mydoom. Just use the subject line and attachments listed above.

GroupWise 6.0-6.5 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10060266.htm

GroupWise 5.5 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10052696.htm

Document Title: Stop W32/Mydoom Mass Mailing Worm before it hits GroupWise
Creation Date: January 26, 2004
Modified Date: January 27, 2004
GWTools Product Class: GWGuardian (all versions)
For details on W32/Mydoom@MM: http://vil.nai.com/vil/content/v_100983.htm

Security Response Team
The Messaging Architects
http://www.messagingarchitects.com