Menu

Search



Using Smart Update and Configuration Groups to Detect and Remove the MyDoom.O Variant

Pam
Smart Update (Configuration Groups, Organizational Groups)

The information in this article applies to the following products:

• Prism Deploy 5.0 and above

Summary:

The latest variant of the MyDoom mass mailer worm has several aliases: W32/Mydoom.o@MM, MyDoom.M, W32,Mydoom.M@MM, W32/Mydoom-O labeled MyDoom.O. The easiest way to protect yourself is by updating your antivirus software.

According to Symantec, MyDoom.O is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, which listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer. The email contains a spoofed From address, and the Subject and Body text will vary. The attachment name will also vary.

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html

Microsoft: http://www.microsoft.com/security/antivirus/mydoom.asp

Prism Deploy makes it easy to determine which machines are infected so you can remediate the situation.

Method:

In your Prism Deploy Channel, create a new user-defined Configuration Groups to detect systems with the MyDoom.O variant, and an “All Others” group representing uninfected systems. The MyDoom.O ruleset is configured to look for two registry values under the Run key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run – “Services” = “%WinDir%\services.exe”

And

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run – “JavaVM” = “%WinDir%\java.exe”

Here’s a screenshot of the first step involved in creating the ruleset:

Use Prism’s Rule Expert, click “And” and add the next rule:

Click “Finish” and your ruleset is created.

Next, create and assign Tasks to perform the remediation process:

  1. On Windows XP and Me systems, first turn off System Restore.* This can be done with a Prism package that is configured with a requirement that the target system is running Windows XP or Me. [Note: To set requirements, open the package in the Prism Deploy Editor, choose File| Properties, Requirements tab.] If the target is not running one of these operating systems, the package will not be installed. The package also has a silent reboot property set.
  2. Run the cleanup utility from your anti-virus vendor as a Command Task. Our example uses a free cleanup tool released by Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html
  3. Turn System Restore back on by assigning a Prism package to the “Not Infected” group. The package is configured to first check that System Restore is off and that the target is running Windows XP or Me. It also has a silent reboot property set. Note: If you would like a copy of our packages for System Restore off and on, please contact support@newboundary.com.

Assign the Tasks to the appropriate configuration groups. Your target computers will automatically move themselves into and out of the Configuration Groups as their status changes, and they will receive the appropriate Tasks for their current status.

Below is a screenshot of a sample Channel.

* Here’s a link discussing System Restore and why it must be turned off before remediation of MyDoom: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam.

Please contact New Boundary Technical Support if you’d like further assistance: 612-379-1851.


Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide your comments to help us improve this article...

Thank you for your feedback!

Add Your Comments
Name:
Email Address:
RadEditor - HTML WYSIWYG Editor. MS Word-like content editing experience thanks to a rich set of formatting tools, dropdowns, dialogs, system modules and built-in spell-check.
RadEditor's components - toolbar, content area, modes and modules
   
Toolbar's wrapper  
Content area wrapper
RadEditor's bottom area: Design, Html and Preview modes, Statistics module and resize handle.
It contains RadEditor's Modes/views (HTML, Design and Preview), Statistics and Resizer
Editor Mode buttonsStatistics moduleEditor resizer
 
 
RadEditor's Modules - special tools used to provide extra information such as Tag Inspector, Real Time HTML Viewer, Tag Properties and other.
   
Verification Code:
Details
Last Modified: 14 Years Ago
Last Modified By: Pam
Type: HOWTO
Article not rated yet.
Article has been viewed 3.1K times.
Options
Customer Support Software By InstantKB 2015-2
Execution: 0.000. 8 queries. Compression Disabled.