Mydoom; Zywall Idp - ZyXEL Communications ZyWall 5 Series User Manual

ZyWALL 5/35/70 Series User's Guide

12.1.5.4 MyDoom

MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm
that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a
computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127
through 3198, which can potentially allow an attacker to connect to the computer and use it as
a proxy to gain access to its network resources. In addition, the backdoor can download and
execute arbitrary files. Systems affected are Windows 95, Windows 98, Windows Me,
Windows NT, Windows 2000, Windows XP and Windows Server 2003.
W32/MyDoom-A is a worm that is spread by email. When the infected attachment is
launched, the worm gathers e-mail addresses from address books and from files with the
following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. W32/
MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the
contents, which displays random characters. W32/MyDoom-A creates randomly chosen
email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line.
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

12.1.6 ZyWALL IDP

The ZyWALL Internet Security Appliance is designed to protect against network-based
intrusions. See
ZyWALL interfaces.
IDP is regularly updated by the ZyXEL Security Response Team (ZSRT). Regular updates are
vital as new intrusions evolve.
254
Section 13.2 on page 256 for more information on how to apply IDP to
Chapter 12 Intrusion Detection and Prevention (IDP)