Contact Us
MyDoom.M Mass-Mailer
- URL: http://www.secureworks.com/research/threats/mydoomm
- Date: July 26, 2004
- Author: Joe Stewart
***MyDoom.M Mass-Mailer Spreading Rapidly***
The MyDoom.M mass-mailing email virus appears to be hitting hard. Even though it relies on a user unzipping and clicking on an infected attachment, it appears to be having a good deal of success. This may be due in part to the fact that the file appears to be a delivery failure report from a mailer daemon, and the infected filename is simply the user's email address - they may be tempted to unzip and click on such an attachment, not realizing that if their email address ends in ".com", it will execute.
At the time of this advisory, some anti-virus companies have not provided protection against MyDoom.M. Blocking zip attachments at the gateway temporarily may be an appropriate measure to prevent the virus from infecting your network. If you have finer-grained control over "forbidden" attachment names, block emails that contain attachments of the form user@yourdomain.com.zip, where user@yourdomain.com can be any email account at your domain.
More information about MyDoom.M can be found here:
http://secunia.com/virus_information/10755/mydoom.m/
It is worthwhile to note that this type of social-engineering ploy has proven successful several times in the past, so expect future variants of this and other viruses to use other similar tactics. Relying on a single antivirus solution is no longer sufficient to protect a network from modern threats, so consider using multiple scanners at the email gateway. Another alternative being utilized by an increasing number of companies is outsourcing of email virus scanning to a third party vendor who can provide additional protection by using custom heuristic scanners and cross-referencing suspicious attachments across multiple customers.
