From mcafeesecurity@1stmail.com Fri Jan 30 04:49:20 2004 Return-Path: Received: from mail1.1stmail.com (mail1.1stmail.com [207.88.19.248] (may be forged)) by forced.attrition.org (8.11.6/3.8.9) with ESMTP id i0U9l1C31170 for ; Fri, 30 Jan 2004 04:47:02 -0500 Received: from localhost.localdomain (mail1.1stmail.com [207.88.19.248]) by mail1.1stmail.com (8.11.6/8.9.3) with ESMTP id i0U9kDX01492 for ; Fri, 30 Jan 2004 01:46:37 -0800 Message-Id: <200401300946.i0U9kDX01492@mail1.1stmail.com> Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Type: text/plain MIME-Version: 1.0 X-Mailer: MIME::Lite 2.117 (F2.6; T1.005; A1.60; B2.11; Q2.03) Date: Fri, 30 Jan 2004 09:46:13 UT From: "McAfee Security" To: "Hugh G. Rection" Subject: SECURITY ADVISORY: Mydoom@MM Worm X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on forced.attrition.org X-Spam-Level: X-Spam-Status: No, hits=0.2 required=4.7 tests=EXCUSE_3,LINES_OF_YELLING, REMOVE_SUBJ autolearn=no version=2.61 January 27, 2004 "The Mydoom worm surfaced Monday and has been given several names by anti-virus software vendors, including Mydoom, Novarg and Mimail.R. Experts don't all agree on the worm's payload, but they do agree that it is spreading faster than Sobig-F, the worm that topped the charts for the most widespread e-mail worm last year." (IDG News Service, a Network World affiliate, 1/27/04) "Network Associates' Vincent Gullotto, vice president of the Anti-Virus Emergency Response Team (AVERT) expects the worm to keep causing headaches for a while."...It has a full head of steam, there are hundreds of thousands of e-mails, and we may see well into the millions (of e-mails), and possibly hundreds of thousands of machines infected." (IDG News Service, a Network World affiliate, 1/27/04) HOW DOES THE MYDOOM THREAT AFFECT ME? -- Mydoom is a destructive worm that propagates through generating SMTP email as an attachment within an email. It disrupts business by: -- Creating a flood of email traffic -- Overloading email servers -- Degrading network response times -- The Mydoom worm infects Microsoft(R) Windows(R)9x/ME, NT4, 2000, 2003, and XP-based computers. WHAT STEPS CAN I TAKE AGAINST MYDOOM? -- If You Are Currently A McAfee Security Customer: -- Download an immediate cure for this virus online at the Network Associates McAfee AVERT website at: -- Click on "4319 Minimum DAT" to update your anti-virus software -- If You Are Not Currently a McAfee Security Customer: -- Download our FREE virus utility tool, Stinger, that detects, cleans, and repairs systems infected by Mydoom. Go to: ATTEND OUR FREE WEBCAST--LEARN HOW TO PROTECT YOUR SYSTEMS FROM A MYDOOM ATTACK: -- 11:00AM PST on January 28, 2004 -- Register now at: -- After you register, you will receive a confirmation email that contains the telephone number and URL to attend the webcast. THE MCAFEE(R)SECURITY PROTECTION-IN-DEPTH(TM) STRATEGY DELIVERS SOLUTIONS TODAY THAT CAN MITIGATE THE RISKS ASSOCIATED WITH THIS WORM: **SYSTEM PROTECTION SOLUTIONS** McAfee Entercept McAfee Entercept would detect the worm attempting to write itself into a system folder (%windir%). In addition, it would also detect that the worm is attempting to write entries within the 'RUN' key in the system registry and would therefore prevent infection occurring. McAfee Desktop Firewall To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 3127. McAfee ThreatScan The latest ThreatScan signature (2004-01-27) includes detection of the Mydoom virus. This signature is available for ThreatScan v2.0, v2.1, and v2.5. ThreatScan users can also detect the backdoor portion of the virus by running a "Resource Discovery" task utilizing the port scanning options. McAfee Anti-virus: The 4319 DAT files are available now. EXTRA.DAT packages are also available on the VIL page. **NETWORK PROTECTION SOLUTIONS** Sniffer(R) Technologies Sniffer filters are currently being investigated for Sniffer Portable, Sniffer Distributed, and Netasyst(TM) Network Analyzer. Stay tuned to the VIL page for updates. InfiniStream (TM) Security Forensics If you have InfiniStream in place, you can use it to reconstruct detailed network events, including: the opening of a suspicious attachment, a conversation between a client and server resulting in missing log files, database breaches, and limitless other possibilities. McAfee IntruShield (R) McAfee IntruShield signatures have also been updated to prevent the worm from traveling across infected networks. Expert Services If a customer needs help cleaning-up, Network Associates(R) Expert Services can take away the pain of dealing with the threat - and help secure your customer's network from future threats. **THE MCAFEE PROTECTION-IN-DEPTH STRATEGY** The McAfee Protection-in-Depth Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block attempts to exploit this worm before it can cause damage to systems and networks. Best Regards, Network Associates ---------------------------------- Network Associates and McAfee are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer(R) brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. (C) 2004 Networks Associates Technology, Inc. All Rights Reserved. Network Associates, Inc. is located at 3965 Freedom Circle Santa Clara, CA 95054. To be removed from our McAfee Network Protection Solutions mailing list, please send an e-mail to: mailto:McAfeeSecurity@1stmail.com and type REMOVE in the subject line.