How to Remove MyDoom worm virus
aka Novarg.A or MiMail.R virus

for information on MyDoom.B click here

What is the MyDoom Worm?
The MyDoom worm appears to be a variant of the MiMail viruses that have traveled the Internet in the last few months. The mass mailing worm that arrives as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.

The worm performs a denial of service (DoS) attack against the website www.sco.com. It will begin this attack if the system date is February 1, 2004 and has a built-in expiration date of February 12, 2004 when it will stop running most of its routines.

This worm runs a backdoor component, which it drops as the file SHIMGAPI.DLL. This trojan component opens TCP ports 3127 thru 3198 to allow remote users to access and manipulate infected systems. The backdoor routine has the ability to download and execute arbitrary files.

The worm can also infect through the Kazaa peer-to-peer file sharing network.

It runs on Windows 98, ME, NT, 2000 and XP. Its funny I'm talking about a worm called MyDoom on PCHell.


From: <Spoofed email address>

Subject: (any of the following)

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi
  • test

Message Body: (any of the following)

  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.
  • test

Attachment:

  • document
  • readme
  • doc
  • text
  • file
  • data
  • test
  • message
  • body

with one of the following suffixes:

  • pif
  • scr
  • exe
  • cmd
  • bat
  • zip

How Does Novarg.A or MyDoom.A Worm Infect My System?

When the worm is activated, it performs the following tasks:

  1. Creates the following files:
    • "shimgapi.dll" in %System%
    • "Message" in %temp%. This file is full of random letters and is displayed via Notepad.
    • "taskmon.exe" in %System%. If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.

    The file Shimgapi.dll acts as a proxy server opening TCP ports in the range of 3127 to 3198 for listening. This can  potentially allow a hacker to connect to the machine via these ports and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

    Shimgapi.dll is loaded by EXPLORER.EXE via the registry key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll

  2. Adds the Startup Entry

    TaskMon = %System%\taskmon.exe

    to the registry keys

    HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
    or
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


  3. Starting on February 1, 2004 it can perform a Denial of Service against www.sco.com using a direct connection to port 80. Creates 64 threads which send GET requests. The DoS attack will continue until February 12, 2004.

  4. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32\Version
    and
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32\Version

  5. Searches the Windows Address book and other files with the following file extensions (including in the Temporary Internet Files folder) for email addresses and domain names. It ignores addresses which end in ".edu".
    • .htm
    • .sht
    • .php
    • .asp
    • .dbx
    • .tbb
    • .adb
    • .pl
    • .wab
    • .txt
  6. It adds any of the prefixes below to obtained domain names for possible SMTP access
    • mx.
    • mail.
    • smtp.
    • mx1.
    • mxs.
    • mail1.
    • relay.
    • ns.
    • gate.

    It assumes that an SMTP service exists on the resulting strings (e.g. mx.domain_name.com, mail.domain_name.com) and connects to these services via SMTP port 25.

  7. Attempts to send emails by using its own SMTP engine. It performs a lookup of the mail server of the recipient in order to send. If it is unsuccessful it will use the local mail server.

    It avoids sending emails to domain names and email address that contain certain text strings.
  8. Copies itself to KaZaA download directory as one of the following files:
    • winamp5
    • icq2004-final
    • activation_crack
    • strip-girl-2.0bdcom_patches
    • rootkitXP
    • office_crack
    • nuke2004

    with a file extension of

    • pif
    • scr
    • bat
    • exe

How Can I Remove the MyDoom.A or Novarg.A worm?

Follow these steps in removing the MiMail.R worm.

1) Restart your Computer in Safe mode by pressing F8 as the computer is booting. The backdoor component attaches itself to the Explorer.exe file, so restarting in Safe mode should allow you to remove it the easiest.

2) Remove the Registry entries
(deleting the wrong item in the registry can render your computer unbootable, do not follow these steps unless you have made a backup of the registry or can recover from a corrupted registry)

  • Click on Start, Run, Regedit
  • In the left panel go to the following keys

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • In the right panel, right-click and delete the following entry

    "Taskmon"="%System%\taskmon.exe"
  • In the left panel go to the following keys and delete them

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
  • In the left panel go to the following key

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
  • In the right pane, modify the value as follows, depending on your operating system:

    (Default) = “%System%\shimgapi.dll”

3) Delete the infected files (for Windows ME and XP  you may have to disable system restore to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS\SYSTEM).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

    shimgapi.dll
    (in the Windows\System folder)
    taskmon.exe (in the Windows\System folder)
    ** Note: DO NOT DELETE ANY INSTANCE OF TASKMON.EXE IN THE NORMAL WINDOWS FOLDER
  • Click Find Now or Search Now.
  • Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program or online scan at

             http://housecall.antivirus.com

For More Information on this worm, visit Symantec's website or Trend Micro

 

space.gif (58 bytes)

 

Search PCHell.com
site search by freefind advanced

 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google