Originally I had done research into the original mydoom/novarg virus and devolped some snort rules that proved effective but the virus continues to mutate with each version and is still having a big impact.(though I dont know why, you would think people would quit clicking strange thing in there email but thats besides the point).
The one thing constant with all the mydoom viruses is that they try to hide the executable with UPX encoding.
UPX coding is said to be designed to reduce the size of an executable which is reall BS. It barely reduces it and with the size of hard drives nowadays who need to reduce an exe from 900kb to 890kb.
The most use of UPX comes from hiding virus and trojans! These 3 rules catch all versions of mydoom because they are not looking for a virus that mutates or gets changed by another virus writer but they look for the UPX signature that is contained in all UPX executables. So really these rules extend beyond mydoom and cover all UPX files being sent to yoru mail server. There is a potential for false positives though and in the few weeks Ive been using them in PureSecure and I have seen it happen. Not that often though, and it has cought every single variation of mydoom. So who know what the next version of mydoom will entail and with less than a 1% false positive ratio I would say these snort rules are essential.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"UPX File in Email(1)"; content: "VVBY";priority: 1; classtype: Executable code has been detected; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"UPX File in Email(2)"; content: "WDAA";priority: 1; classtype: Executable code has been detected
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"UPX File in Email(3)"; content: "UFgw";classtype: A Network Trojan has been detected; )