ZyXEL Communications ZyWALL5UTM 4.0 12.1.5.4 MyDoom, 12.1.6 ZyWALL IDP

ZyWALL 5/35/70 Series User’s Guide

12.1.5.4 MyDoom

MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor can download and execute arbitrary files. Systems affected are Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Server 2003.

W32/MyDoom-A is a worm that is spread by email. When the infected attachment is launched, the worm gathers e-mail addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. W32/ MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters. W32/MyDoom-A creates randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

The ZyWALL Internet Security Appliance is designed to protect against network-based intrusions. See Section 13.2 on page 241 for more information on how to apply IDP to ZyWALL interfaces.

IDP is regularly updated by the ZyXEL Security Response Team (ZSRT). Regular updates are vital as new intrusions evolve.