As the original Mydoom worm (W32/Mydoom@MM) continues to spread at blazing speeds around the world, a second variant has been unleashed and is adding to the already overwhelming bandwidth consumption worldwide. In another twist that may have been unexpected by many IT administrators, Mydoom has also hit the iSeries. While the payload of these worms does not directly affect OS/400, a lack of anti-virus protection on the iSeries allows the worm to enter through OS/400 mail and reside in files stored on the iSeries.

StandGuard Anti-Virus, the award-winning anti-virus solution that runs natively on OS/400, has been detecting and removing copies of Mydoom found on the iSeries, according to Bytware customers. StandGuard Anti-Virus is powered by the McAfee scanning engine from Network Associates, rated the top scanning engine by the University of Hamburg Virus Test Center for three consecutive years.

Mydoom can enter the iSeries either through mail that passes through OS/400 or by copying itself to the iSeries from a client PC without the user’s knowledge. Only active scanning of the iSeries can detect the worm once it finds its way onto the system. Leaving the worm undetected can spread the infection to client PCs on your network as well as to other companies and networks with which you exchange information.

Experts say that the best way to fight Mydoom is through the use of standard anti-virus solutions. “Companies that are following recommended practices relating to secure e-mail use should be largely protected against the Mydoom virus and its variants,” explain experts in a new article on Computerworld’s Security website. These practices include vigilantly maintaining up-to-date virus definitions. iSeries security experts, including Carol Woodbury and Patrick Botz, recommend that administrators apply the same virus prevention procedures to their iSeries systems that they apply to their other platforms as a general security best practice.

More about Mydoom

The Mydoom worm has been labeled the most prolific worm ever by some security experts according to an article at SearchSecurity.com. It has shattered the records set in 2003 by the Sobig.F virus, and a new CNN article cites infection rates as high as one in three e-mails. Sobig.F peaked at an infection rate of 1 in 17 e-mails. British security firm MessageLabs reports that they have caught 1.8 million copies of Mydoom in more than 168 countries as of Wednesday, January 28. StandGuard Anti-Virus users are also reporting infections appearing on the iSeries.

The worm is particularly difficult to manage as it utilizes new techniques called “social engineering.” Using these techniques, virus writers attach their work to mail that appears to be a machine-generated error message. The idea is that users trust messages that they believe were generated by a computer as they are accustomed to receiving such messages from administrators and mail servers, especially in corporate settings.

Mydoom arrives as an attachment that can carry one of a number of different file extensions, some of which are routinely allowed by companies including the ZIP format. Many report an attachment that appears to be a text document, but has 60 spaces between the .txt and .exe extensions, preventing users from seeing the true file type. Many users view text documents as innocuous. Security experts say that these techniques are convincing many users who are normally very cautious to open and execute the worm. Mydoom also attempts to spread through file sharing services such as Kazaa if the software is found on an infected system.

The purpose of Mydoom appears to be multifaceted. Both variants target SCO, the Utah-based software company embroiled in a legal battle with IBM over Linux, for a denial of service attack (DOS) on Sunday, February 1, and install a key logger that captures any text entered into the computer, including credit card numbers and passwords. The worms also open ports on the infected system, including ports 80, 1080, 3127, 3128, 8080, and 10080, and can allow the attacker to gain complete control of the computer. The Mydoom.B variant also targets Microsoft for a DOS attack on Tuesday, February 3, and modifies systems to prevent them from utilizing anti-virus software or accessing security websites.

Mydoom is also know as Novarg, Shimgapi, and Mimail.R.

Learn more in the Midrange Server, Four Hundred Stuff article by Alex Woodie.

Tags: AS/400, iSeries, malicious code, mydoom, system i, viruses