Mytob/mydoom Filtering

  • Article

Mytob and mydoom variants seem to be on the rise in the last week.

These files are named in a way to fool users into thinking the file is something other than an executable.

in this example a quick look at the file in postcard.zip might make you think it is a htm file

 

image

But if you look at the file type it shows it is an application. Some older tools will show a IE icon, helping to further fool users into opening it.

The file in the above example has two extensions.

document.htm____________________________________________________________.exe

Mitigation

No scanner can protect you 100% of the time. Even with a product like Forefront\Antigen (that provides you up to 5 engines to scan with) you still have the time between the introduction of the virus and the engines providing detections for it.

I suggest at minimum filtering out dual extension executables by adding a filter for *.*.* executable file type. Action can be clean (users get the zip but the attachment is now a .txt file) or purge it completely.

If your network policy is that no exe files are to come in by email then you can put a * exe file type filter in place with a purge option to reduce confusion from your end users.

If your policy lets internal users send exe files but you feel safe blocking exe files incoming from the internet you can use our filtering to block incoming exe files (<in>* exe file types) as described here https://technet.microsoft.com/en-us/library/bb795068.aspx