What is
the MyDoom Worm?
The MyDoom worm appears to be a
variant of the MiMail viruses that have traveled the Internet in the
last few months. The mass mailing worm that arrives as an attachment
with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.
The
worm performs a denial of service (DoS) attack against the website
www.sco.com. It will begin this attack if the system date is February
1, 2004 and has a built-in expiration date of February 12, 2004 when it
will stop running most of its routines.
|
|
This worm
runs a backdoor component, which it drops as the file SHIMGAPI.DLL.
This trojan component opens TCP ports 3127 thru 3198 to allow remote
users to access and manipulate infected systems. The backdoor routine
has the ability to download and execute arbitrary files.
The worm
can also infect through the Kazaa peer-to-peer file sharing network.
It runs on
Windows 98, ME, NT, 2000 and XP. Its funny I'm talking about a worm
called MyDoom on PCHell.
From: <Spoofed email address>
Subject:
(any of the following)
- Error
- Status
- Server
Report
- Mail
Transaction Failed
- Mail
Delivery System
- hello
- hi
- test
Message
Body: (any of the following)
- The
message contains Unicode characters and has been sent as a binary
attachment.
- The
message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.
- Mail
transaction failed. Partial message is available.
- test
Attachment:
- document
- readme
- doc
- text
- file
- data
- test
- message
- body
with
one of the following suffixes:
How Does Novarg.A or MyDoom.A Worm Infect My
System?
When the
worm is activated, it performs the following tasks:
- Creates
the following files:
- "shimgapi.dll"
in %System%
- "Message"
in %temp%. This file is full of random letters and is displayed via
Notepad.
- "taskmon.exe"
in %System%. If a copy of taskmon.exe exists in the %System%, it is
overwritten and replaced by this copy of the worm.
The
file Shimgapi.dll acts as a proxy server opening TCP ports in the range
of 3127 to 3198 for listening. This can potentially allow a
hacker to connect to the machine via these ports and utilize it as a
proxy to gain access to it's network resources. In addition, the
backdoor has the ability to download and execute arbitrary files.
Shimgapi.dll
is loaded by EXPLORER.EXE via the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
"(Default)" = %SysDir%\shimgapi.dll
- Adds the
Startup Entry
TaskMon = %System%\taskmon.exe
to the registry keys
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Starting
on February 1, 2004 it can perform a Denial of Service against
www.sco.com using a direct connection to port 80. Creates 64 threads
which send GET requests. The DoS attack will continue until February
12, 2004.
- Creates
the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
- Searches
the Windows Address book and other files with the following file
extensions (including in the Temporary Internet Files folder) for email
addresses and domain names. It ignores addresses which end in ".edu".
- .htm
- .sht
- .php
- .asp
- .dbx
- .tbb
- .adb
- .pl
- .wab
- .txt
- It adds
any of the prefixes below to obtained domain names for possible SMTP
access
- mx.
- mail.
- smtp.
- mx1.
- mxs.
- mail1.
- relay.
- ns.
- gate.
It
assumes that an SMTP service exists on the resulting strings (e.g.
mx.domain_name.com, mail.domain_name.com) and connects to these
services via SMTP port 25.
- Attempts
to send emails by using its own SMTP engine. It performs a lookup of
the mail server of the recipient in order to send. If it is
unsuccessful it will use the local mail server.
It avoids sending emails to domain names and
email address that contain certain text strings.
- Copies
itself to KaZaA download directory as one of the following files:
- winamp5
- icq2004-final
- activation_crack
- strip-girl-2.0bdcom_patches
- rootkitXP
- office_crack
- nuke2004
with a
file extension of
How
Can I Remove the MyDoom.A or Novarg.A worm?
Follow
these steps in removing the MiMail.R worm.
1) Restart your Computer in
Safe mode by pressing F8 as the computer is booting. The
backdoor component attaches itself to the Explorer.exe file, so
restarting in Safe mode should allow you to remove it the easiest.
2) Remove
the Registry entries
(deleting the wrong item
in the registry can render your computer unbootable, do not follow
these steps unless you have made a backup of the registry or can
recover from a corrupted registry)
- Click on
Start, Run, Regedit
- In the
left panel go to the following keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- In the
right panel, right-click and delete the following entry
"Taskmon"="%System%\taskmon.exe"
- In the
left panel go to the following keys and delete them
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
- In the left panel go to the following key
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
- In the
right pane, modify the value as follows, depending on your operating
system:
(Default) =
“%System%\shimgapi.dll”
3) Delete
the infected files (for Windows ME and
XP you may have to disable
system restore to remove infected backed up files as well)
- Click
Start, point to Find or Search, and then click Files or Folders.
- Make
sure that "Look in" is set to (C:\WINDOWS\SYSTEM).
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
shimgapi.dll
(in the Windows\System folder)
taskmon.exe (in the Windows\System folder)
** Note: DO NOT DELETE ANY INSTANCE OF
TASKMON.EXE IN THE NORMAL WINDOWS FOLDER
- Click
Find Now or Search Now.
- Delete
the displayed files.
4) Reboot
the computer and run a thorough virus scan using your favorite
antivirus program or online scan at
http://housecall.antivirus.com
For More Information on this worm, visit Symantec's
website or Trend
Micro
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|