Filter for Doomjuice Traffic

Over the past 24 hours, there has been a marked increase of network traffic related to the recent "Doomjuice" exploit (often referred to by anti-virus vendors as either W32.HLLW.Doomjuice or W32.Doomjuice).

This particular exploit takes advantage of computers running Windows operating systems that have been recently infected by MyDoom (W32.MyDoom.A). This exploit communicates to MyDoom infected computers over TCP3127-3198 services and will copy itself onto MyDoom infected computers. The computer now infected by both MyDoom and Doomjuice then seeks to spread the exploit to yet other computers and also launch a denial of service attack against the Microsoft Corporation web site.

In order to minimize the spread of this new exploit and control the denial of service attack, filters have been implemented at the campus border, modem pools, and wireless to terminate inbound and outbound traffic conducted using TCP3127-3198 services. We are not aware of any legitimate network traffic that will be impeded by this network filter.

As we are seeing rapid release of both new viruses and new anti-virus updates to stop the new virus infections, you are advised to check and install new vendor anti-virus updates on a daily basis. We are running the latest anti-virus update for the campus email servers and will be checking throughout the day for the availability of the next update release.

References:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A