Re: How do I stop the mydoom virus?

From: Phil McNeill (philm_at_NOSPAMhydroottawa.com)
Date: 03/25/04

• Next message: Mauricio Encina [MSFT]: "Re: Installing System Manager"
• Previous message: Armen: "Rule "forward by email size" to forward account"
• In reply to: Mohammed Alli: "Re: How do I stop the mydoom virus?"
• Next in thread: Mohammed Alli: "Re: How do I stop the mydoom virus?"
• Reply: Mohammed Alli: "Re: How do I stop the mydoom virus?"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 25 Mar 2004 14:45:53 -0500

"Mohammed Alli" <MAlli@computerrents.com> wrote in message
news:erGJT%23oEEHA.1368@TK2MSFTNGP11.phx.gbl...
> So if I block 3127-3198, then I should be ok?

No, that won't stop the virus from spreading via email because the virus is
already on the wrong side of your firewall (i.e. the inside). It will
simply provide you with a tool to track down which machines are infected
(and then go hit them with a removal tool). If you block these ports
OUTBOUND (presumably they are already blocked to inbound traffic), and
configure your firewall to log every time something attempts to access those
ports (and is denied because you've blocked them), your firewall logs can
lead you back to the infected machine(s). Keep in mind that Mydoom has
several variants, and each of them uses different ports, so just blocking
that range may not apply to the variant you have on your network. For a
list of the variants and descriptions of them including the ports they
exploit, you can go here:

http://www.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html

You don't even have to block outbound access, but can simply log any access
to those ports. I just find it easier to look at the "denies" in the log as
there are so many more "allows". We have blocked ALL outbound traffic on
every port other than the standard ones we need (FTP, HTTP, HTTPS, etc etc.)
and it makes the deny entries in our firewall log very useful in tracking
down viruses, spyware, and other undesirable programs (Kazaa etc.) running
on the network.

Sorry, this isn't really an Exchange solution, but with viruses of this type
I find it easier to see which machine is racking up firewall deny entries
than to fight it at the mail server level (once it's already on your
network). It's generally very obvious when you look at the logs, as you
will see thousands of deny entries to a single or a few machines (where if
they weren't infected, you would see almost none). Another way to skin the
cat if you're comfortable working with your firewall config. Network
monitoring software is even better of course, but I know not everyone has
the budget for that stuff.

Good luck. It's been a hell of a couple of months for MS admins...

• Next message: Mauricio Encina [MSFT]: "Re: Installing System Manager"
• Previous message: Armen: "Rule "forward by email size" to forward account"
• In reply to: Mohammed Alli: "Re: How do I stop the mydoom virus?"
• Next in thread: Mohammed Alli: "Re: How do I stop the mydoom virus?"
• Reply: Mohammed Alli: "Re: How do I stop the mydoom virus?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint