Blocking the MyDoom Virus with ISA 2004 Firewalls
By Thomas W Shinder MD, MVP
Got questions? Discuss this article over at
The table below lists ports used by MyDoom. Outbound access to these ports should be blocked. This data is current as of 12:28:09, Monday, March 8th 2004.
|Port Numbers||Transport Protocol||Used by MyDoom|
By default, the ISA 2004 firewall blocks external attacks on the affected ports. The reason for this is all incoming connections to the ISA firewall are blocked unless explicitly allowed by publishing rules. Do not create Server Publishing Rules allowing the MyDoom ports inbound access to the corporate network.
The default installation of the ISA 2004 firewall blocks outbound access to the MyDoom ports. You would need to create an Access Rule to allow outbound access to these ports. However, if your ISA firewall is configured with an "All Open" Access Rule for outbound traffic, then you will need to create an explicit Deny rule to block outbound access to the MyDoom ports.
To help prevent outbound attacks through ISA Server:
- Create Access Rules that Deny traffic on the MyDoom ports.
- Disable the Firewall Client for malicious W32.MyDoom.B processes. You will need to install the Firewall client on all client operating systems for this method to be effective. We highly recommend that you install the Firewall client on all Windows client operating systems. Do not install the Firewall client on network servers. If all Access Rules require authentication, this will prevent the worm from acting as a Firewall Client through the ISA firewall. For network servers that do not have the Firewall client installed and do not authenticate, then create Computer network objects for these servers and use those objects to control outbound access for non-authenticating servers.
TCP port 3127 is used by the Reuters Kobra application (thanks for William Robertson for this tip!). If you require outbound access to this application, you must use the Firewall client approach to block the malicious MyDoom processes.
The ISA firewall machine itself is vulnerable to attack by the MyDoom worm if:
- You use an e-mail client on the ISA Server itself. For this reason, we strongly recommend that you never use client applications on the ISA firewall itself, including the Web browser, to connect to Internet resources. Do not treat the ISA firewall as a workstation.
- You execute an e-mail attachment delivered by MyDoom.
To block outbound traffic on known MyDoom ports:
- Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Firewall Policy node.
- Click on the Tasks tab in the Task Pane. Click the Create a New Access Rule link.
- On the Welcome to the New Access Rule Wizard page, enter Block MyDoom in the Access Rule name text box. Click Next.
- On the Rule Action page, select the Deny option and click Next.
- On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
- In the Add Protocols dialog box, click the New menu, then click the Protocol command.
- On the Welcome to the New Protocol Definition Wizard page, enter MyDoom Outbound in the Protocol Definition name text box and click Next.
- On the Primary Connection Information page, click the New button.
- In the New/Edit Protocol Definition dialog box, select the Protocol type as TCP. The Direction is Outbound. The From port is 3127 and the To port is 3198. Click OK.
- Click Next on the Primary Connection Information page.
- Select the No option on the Secondary Connections page. Click Next.
- Click Finish on the Completing the New Protocol Definition Wizard page.
- In the Add Protocols dialog box, click the User-defined folder and then double click the MyDoom Outbound entry. Click Close.
- Click Next on the Protocols page.
- On the Access Rule Sources page, click the Add button.
- In the Add Network Entities dialog box, click the Network Sets folder and then double click the All Networks (and Local Host) entry. Click Close.
- Click Next on the Access Rule Sources page.
- On the Access Rule Destinations page, click the Add button.
- In the Add Network Entities dialog box, click the Network Sets folder and then double click on the All Networks entry. Click Close.
- On the User Sets page, accept the default entry, All Users, and click Next.
- Click Finish on the Completing the New Access Rule Wizard page.
- Move the Block MyDoom rule to the top of the list of rules.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
The malicious MyDoom process operates with the executable names explorer, shimgapi and taskmon. You can set the Firewall client configuration settings so that it ignores connections made from these processes. This means the explorer, shimgapi and taskmon processes will need to depend on the host machine’s SecureNAT client configuration. Because the SecureNAT client cannot authenticate, connection attempts from these processes will fail.
To configure the Firewall Client to block malicious MyDoom processes:
- In Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node.
- Click the General node.
- On the General node, click the Define Firewall Client Settings link in the Details pane.
- In the Firewall Client Settings dialog box, click the Application Settings tab.
- On the Application Settings tab, click the New button.
- 6. In the Application Entry Setting dialog box, enter explorer in the Application text box. Select disable from the Key drop down list. Select 1 from the Value drop down list. Click OK.
- Repeat the above procedure, this time using the shimgapi application. Repeat it one more time for the taskmon application. The click Apply and then OK on the Firewall Client Settings page.
- 8. Click Apply to save the changes and update the firewall policy.
- 9. Click OK in the Apply New Configuration dialog box.
Configuring the Firewall Client for the malicious processes only prevents the malicious processes on an infected host from using the Firewall client to remote connections to the ISA firewall. If the host is also configured as a SecureNAT client, then this setting may have no effect. (To prevent SecureNAT client access across the ISA firewall, make sure there are no anonymous Access Rules allowing outbound access to these applications.)
You can test the functionality of the Block MyDoom Outbound rule by using Telnet on a client located on an ISA 2004 firewall protected network.
- Open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Monitoring node in the left pane of the console.
- On the Monitoring node, click the Logging tab in the Details pane.
- On the Tasks tab of the Task Pane, click the Start Query link.
- On a client system located on a protected network, click Start and then click Run. In the Open text box, enter cmd and click OK.
- At the command prompt enter telnet 220.127.116.11 3198 and press ENTER.
- Return to the Microsoft Internet Security and Acceleration Server 2004 management console and view the real time log monitor. You will see entries indicating that the Block MyDoom Access Rule prevented the connection.
For More Information
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000108 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.