Companies that follow recommended practices relating to secure email use should be largely protected against the Mydoom virus and its variants, experts say.

Despite the speed with which the email-borne menace has proliferated since it was discovered on Monday, there's nothing - so far - about Mydoom that a combination of antivirus, email filtering and intrusion-detection technologies can't handle.

Mydoom, which started spreading earlier this week, has quickly become the most virulent email virus ever.

How to spot Mydoom
The virus arrives in an email message as an attached file that can have various names and extensions, including EXE, SCR, ZIP and PIF. When the attachment is executed, the worm starts sending copies of itself to other email addresses stored in the infected computer.

The first version of the virus, now called Mydoom.A is designed to attack the SCO Group's website. A newer variant, dubbed Mydoom.B, which began surfacing on Wednesday, appears to be designed to direct similar denial-of-service attacks against Microsoft's website. The variant includes a feature that blocks infected computers from accessing sites belonging to vendors of antivirus products.

Companies that filter out email attachments or analyse the contents of attachments are unlikely to have been affected much, says Darwin Ammala, computer security engineer for the Harris Stat network security unit. Bruce Hughes, director of malicious code research at TruSecure's Icsa Labs, says that about 80 percent of his company's clients already filter out at least five attachments commonly used in email attacks. The remaining companies filter out even more attachments as a precaution against email attacks, he says.

"From all indications, corporations of a size large enough to afford antivirus [technologies] at the email gateway were unaffected," says Russ Cooper, moderator of NT Bugtraq and a TruSecure analyst.

Even in cases where the virus might have managed to infiltrate desktops, "most corporations will either notice or block outbound SMTP during such a virus outbreak" to prevent the virus from spreading, Cooper says.

Quick updates urged
Baker Hill, an application service provider, saw about 50 of its systems infected by Mydoom before its antivirus vendor had a fix for the worm, says Eric Beasley, senior network manager at the company.

Even so, only one user actually clicked on the attachment to activate the worm, he says. An antivirus product installed on the user's desktop quickly detected the worm and alerted administrators, Beasley says.

Since then, Baker Hill has updated its antivirus signatures. Baker Hill also uses a service provider to scan all of its email for spam and has seen no evidence of Mydoom since that provider began stripping out all email attachments containing the worm.

"We are pleasantly surprised by how little it has affected us so far," says Trey Miller, manager of telecom services at Vertis, an advertising and media services company.

Vertis uses virus protection services from Postini and has so far seen little evidence of Mydoom on its internal network, Miller says.