Using Smart Update and Configuration Groups to Detect and Remove the MyDoom.O Variant

Summary:

The latest variant of the MyDoom mass mailer worm has several aliases: W32/Mydoom.o@MM, MyDoom.M, W32,Mydoom.M@MM, W32/Mydoom-O labeled MyDoom.O. The easiest way to protect yourself is by updating your antivirus software.

According to Symantec, MyDoom.O is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, which listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer. The email contains a spoofed From address, and the Subject and Body text will vary. The attachment name will also vary.

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html

Microsoft: http://www.microsoft.com/security/antivirus/mydoom.asp

Prism Deploy makes it easy to determine which machines are infected so you can remediate the situation.

Method:

In your Prism Deploy Channel, create a new user-defined Configuration Groups to detect systems with the MyDoom.O variant, and an “All Others” group representing uninfected systems. The MyDoom.O ruleset is configured to look for two registry values under the Run key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run – “Services” = “%WinDir%\services.exe”

And

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run – “JavaVM” = “%WinDir%\java.exe”

Here’s a screenshot of the first step involved in creating the ruleset:

Use Prism’s Rule Expert, click “And” and add the next rule:

Click “Finish” and your ruleset is created.

Next, create and assign Tasks to perform the remediation process:

1. On Windows XP and Me systems, first turn off System Restore.* This can be done with a Prism package that is configured with a requirement that the target system is running Windows XP or Me. [Note: To set requirements, open the package in the Prism Deploy Editor, choose File| Properties, Requirements tab.] If the target is not running one of these operating systems, the package will not be installed. The package also has a silent reboot property set.
2. Run the cleanup utility from your anti-virus vendor as a Command Task. Our example uses a free cleanup tool released by Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html
3. Turn System Restore back on by assigning a Prism package to the “Not Infected” group. The package is configured to first check that System Restore is off and that the target is running Windows XP or Me. It also has a silent reboot property set. Note: If you would like a copy of our packages for System Restore off and on, please contact support@newboundary.com.

Assign the Tasks to the appropriate configuration groups. Your target computers will automatically move themselves into and out of the Configuration Groups as their status changes, and they will receive the appropriate Tasks for their current status.

Below is a screenshot of a sample Channel.

* Here’s a link discussing System Restore and why it must be turned off before remediation of MyDoom: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam.

Please contact New Boundary Technical Support if you’d like further assistance: 612-379-1851.