PSS Security Response Team Alert - New Worm: W32/Mydoom.C

SEVERITY: MODERATE

DATE: February 9, 2004

PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail

**********************************************************************

WHAT IS IT?

Mydoom.C (also referred to as DoomJuice) is a variant of the Mydoom worm that attacks and infects only those systems which are currently infected with Mydoom.A. Customers who are not infected by Mdoom.A are not at risk from Mydoom.C. Customers who are currently infected with Mydoom.B are not at risk from Mydoom.C.

Mydoom.C also attempts to levy a denial of service attack against Microsoft properties. All Microsoft proprerties are available and stable. There is more information available at:

http://www.microsoft.com/security/antivirus/mydoom.asp

The Microsoft Product Support Services Security Team is issuing this alert to advise customers to be on the alert for this virus as it spreads in the wild. Customers are advised to review the information and take the appropriate action for their environments.

IMPACT OF ATTACK: Denial of Service

TECHNICAL DETAILS:

For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

Computer Associates:

http://www3.ca.com/virusinfo/virus.aspx?ID=38238

Network Associates:

http://vil.nai.com/vil/content/v_101002.htm

Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html

Trend Micro:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A

For more information on Microsoft?s Virus Information Alliance please visit this link: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/via.asp Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION:

Mydoom.C propagates only to system that are currently infected by Mydoom.A by connecting on TCP port 3127. You can prevent infection by Mydoom.C by blocking access to TCP port 3127 (Note: The Internet Connection Firewall (ICF) in Windows XP blocks access to TCP port 3127 by default. In addition, you can prevent against infection by Mydoom.C by ensuring that you are not infected with Mydoom.A, either by preventing infection from Mydoom.A or by cleaning a system that has been infected by Mydoom.A as quickly as possible.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/alerts/mydoomc.asp