MyDoom.F Hits OS/400 Shop Hard, Deletes 25,000 Documents

by Alex Woodie

If you still think your OS/400 server is immune to Windows viruses, think again. The MyDoom.F strain wreaked havoc at one OS/400 shop last week, when the worm deleted 25,000 Word documents, Excel spreadsheets, and image files that the company had kept on the IFS portion of its iSeries server. Faced with an extensive downtime and disaster recovery process, this company wished it had sought protection sooner.

MyDoom.F is the latest variant of the MyDoom worm, which was released in January and quickly became the most widespread Windows virus to date, according to some security researchers. Unlike the original MyDoom worm, which commanded an army of infected PCs to launch denial-of-service attacks against target Web sites, the MyDoom.F virus also contains a much more destructive payload.

In addition to launching DoS attacks against the Recording Industry Association of America and Microsoft Web sites, MyDoom.F searches for files with .bmp, .avi, .jpg, .sav, .xls, .doc, and .mdb extensions, and deletes them. The worm, which travels by e-mail attachment, can infect Windows file servers, such as the iSeries' IFS system, if the drives are mapped to Windows PCs. MyDoom.F also opens certain ports, giving the worm's writer remote access to the infected computer.

A MYDOOM-INFESTED IFS

IT officials with a company in Florida, who requested the company's name not be used in this story, discovered last Tuesday that a number of critical files were missing from the finance section of its IFS. Officials found the missing files on their Saturday night backup, but not on their Monday night backup, which led them to believe the files were deleted some time late Monday afternoon. By Wednesday morning, IT officials heard from other users about other files missing, and they also began to hear reports of the MyDoom virus infecting a few PCs.

The company had experienced problems with virus infections on the IFS before, but it had not had much success using PC-based virus scanning tools to clean it, an official with the company says. With approximately 500,000 files on the IFS spread across hundreds of folders, it would take more than 24 hours to complete a scan on its iSeries Model 830 from a PC, and often the PC would crash before finishing its IFS scan, he says.

Besides the time it takes to scan the IFS from a PC, and the propensity for PCs to crash, continual reinfection is another problem with PC-based IFS scanning, the official says. Scanning the IFS from a PC requires an open connection be maintained between the iSeries and PCs, which leads to continual reinfection. "You chase your tail a little [with PC-based IFS scanning], because while you're scanning to clean, you have PCs out there reinfecting you at the same time," the official says. "Given the destructive nature of the new MyDoom virus, it was clear to us we needed a new, more effective tool, and we needed it quickly."

FINDING A NATIVE ANTIVIRUS SOLUTION

The only native OS/400 antivirus software available on the market is StandGuard Anti-Virus, sold by Bytware. StandGuardAV provides a native OS/400 implementation of Network Associates' McAfee antivirus software. Ironically, the Florida company with the infected IFS had tested and evaluated StandGuardAV, and had plans to purchase it before the MyDoom.F attack, but never did, according to Bytware officials.

On Wednesday morning, officials with the Florida company were on the phone to Bytware, asking for immediate access to the full version of StandGuardAV (the free downloadable version available on Bytware's Web site finds viruses on the IFS, but it won't delete them). By noon the company was ready to roll with StandGuardAV, and was eager to disinfect the IFS so employees could get back to work.

Company officials immediately recognized one key advantage that native iSeries virus scanning has over PC-based virus scanning. "We had previously shut down the iSeries Net Server to prevent further damage," an official says, "so the first benefit we realized was that we could run the virus scan natively on the iSeries without having to bring Net Server back up." Sixteen hours later, StandGuardAV had scanned the entire IFS and the company was able to restart its Net Server processes on Thursday morning.

AFTERTHOUGHTS

Since that first emergency use of StandGuardAV, the company has reconfigured the software to better fit its particular situation. First, the company is using the iSeries job scheduler to set up StandGuardAV to automatically scan the most heavily used folders likely to be infected. The company is also planning to use StandGuardAV's capability to run multiple scans concurrently, which would allow it to better use the power of its iSeries Model 830. With any luck, the company will be able to scan all of its critical folders every night, in only three to four hours, officials say.

In the same way that roofers do better business when it rains, demand for Bytware's StandGuardAV goes up when particularly nasty viruses make the rounds. Officials with the Reno, Nevada, company say they have been contacted by several OS/400 shops looking for native iSeries anti-virus scanning following the introduction of MyDoom.F. A similar thing happened several weeks before, when the original MyDoom virus was released.

Licenses for StandGuardAV are tier-based and cost $750 to $10,000 per logical partition. Maintenance is set at 22 percent and is required in order to get access to the continually updated virus definitions from McAfee. For more information, go to www.bytware.com.

For weekly updates on the latest viruses, read Shannon O'Donnell's "OS/400 Alert" column in the Four Hundred Guru newsletter.