Gartner urges vigilance as MyDoom continues to lurk

10 Feb 2004

Removing the MyDoom worm from PCs is the only way to ensure that its threat doesn’t continue, the analyst firm Gartner Research has warned, adding that the malicious code may have a useful life past its supposed self-termination date on 12 February.

According to Gartner, the worm remains extremely dangerous and will continue to be for some time to come. Although initial targets for the worm included high-profile denial of service attacks against the website of SCO and Microsoft last week, initial reports indicated that the software code would become benign soon after. In a briefing note, Gartner analyst Martin Reynolds warned against user complacency.

“Don’t make the mistake of believing that the threat from the MyDoom outbreak is limited to high-profile targets such as SCO and Microsoft — or that the threat will end on any particular date,” said Reynolds. “MyDoom combines a well-designed transport and payload — in a small, hard-to-detect package — with clever social engineering. The worm enables unauthorised parties to commit identity and information theft and also to use an infected PC as a server in future attacks. MyDoom has created an army of ‘zombies’: remote PCs that can be used to execute attackers’ future commands. These attacks will likely continue after 12 February 2004, and the threat will not end until the MyDoom executable has been removed from all infected PCs.”

Gartner recommended that businesses take immediate steps to tackle any further risk from MyDoom. Internet firewalls and personal firewalls should be set to block the targeted internet ports (from 3198 to 3217) and users should not respond to attackers’ attempts to find computers using these ports. Every PC connected to a network should be scanned to identify and remove the MyDoom executable. In addition, employees should be encouraged to scan their own systems using security software tools which are available online.

By Gordon Smith