Blaster w32.worm, Nimda, Mydoom – ZyXEL Communications ZyXEL ZyWALL IDP 10 User Manual

ZyWALL IDP10 User’s Guide

Introduction to Intrusions

A-5

A.6.2 Blaster W32.Worm

This is a worm that exploits the DCOM RPC vulnerability (see Microsoft Security Bulletin MS03-026 and
Microsoft Security Bulletin MS03-039) using TCP port 135. The worm targets only Windows 2000 and
Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable (if not properly
patched), the worm is not coded to replicate to those systems. This worm attempts to download the msblast.exe
file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not mass-mail to other
devices.

A.6.3 Nimda

Its name (backwards for "admin") refers to an "admin.DLL" file that, when run, continues to propagate
the virus. Nimda probes each IP address within a randomly selected range of IP addresses, attempting
to exploit weaknesses that, unless already patched, are known to exist in computers with Microsoft's
Internet Information Server. A system with an exposed IIS Web server will read a Web page
containing an embedded JavaScript that automatically executes, causing the same JavaScript code to
propagate to all Web pages on that server. As Microsoft Internet Explorer browsers version 5.01 or
earlier visit sites at the infected Web server, they unwittingly download pages with the JavaScript that
automatically executes, causing the virus to be sent to other computers on the Internet in a somewhat
random fashion. Nimda also can infect users within the Web server's own internal network that have
been given a network share (a portion of file space). Finally, one of the things that Nimda has an
infected system do is to send an e-mail with a "readme.exe" attachment to the addresses in the local
Windows address book. A user who opens or previews this attachment (which is a Web page with the
JavaScript) propagates the virus further.

Server administrators should get and apply the cumulative IIS patch that Microsoft has provided for
previous viruses and ensure that no one at the server opens e-mail. You should update your Internet
Explorer version to IE 5.5 SP2 or later. Scan and cleanse your system with anti-virus software.

A.6.4 MyDoom

MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives
as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is
infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198,
which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access
to its network resources. In addition, the backdoor can download and execute arbitrary files. Systems
affected are Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server
2003 and Windows XP. Systems not affected are DOS, Linux, Macintosh, OS/2, UNIX and Windows
3.x.

W32/MyDoom-A is a worm that spreads by email. When the infected attachment is launched, the
worm gathers e-mail addresses from address books and from files with the following extensions:
WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. W32/MyDoom-A creates a file called
Message in the temp folder and runs Notepad to display the contents, which displays random
characters. W32/MyDoom-A creates randomly chosen email addresses in the "To:" and "From:"
fields as well as a randomly chosen subject line. Attachment filenames body data doc document file
message readme test [random collection of characters]. Attached files will have an extension of BAT,
CMD, EXE, PIF, SCR or ZIP.