Virus type: Worm
Destructive: No

Aliases: Win32:Mydoom [Wrm], W32/Mydoom.A@mm, Win32.HLLM.MyDoom.32768, Worm/MyDoom.A2, I-Worm.Win32.Mydoom.22528, W32.Novarg.A@mm, Win32/Mydoom.A@mm, I-Worm.Novarg, W32/Mydoom.A.worm, WORM_MIMAIL.R

Pattern file needed: 745
Scan engine needed: 5.600
Overall risk rating: Medium

Reported infections: Medium
Damage Potential: High
Distribution Potential: High

Description:

As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a yellow alert to control the spread of WORM_MYDOOM.A (previously known as WORM_MIMAIL.R).

This mass-mailing worm selects from a list of email subjects, message bodies, and attachment file names for its email messages. It spoofs the sender name of its messages so that they appear to have been sent by different users instead of the actual users on infected machines.

It can also propagate through the Kazaa peer-to-peer file-sharing network.

It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.

It runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The backdoor component opens port 3127 to 3198 to allow remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_MYDOOM.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program
This procedure terminates the running malware process from memory.
You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE

On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.

In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.

Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.

Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing the Backdoor DLL File

To be able to remove the DLL file, you need to terminate the EXPLORER.EXE process first.

Click Start>Run.
Type COMMAND and press Enter.
Terminate EXPLORER.EXE.
On Windows NT/2000/XP

Open Windows Task Manager.
Press CTRL+SHIFT+ESC and click the Processes tab.
In the list of running programs, select EXPLORER.EXE.
Right-click EXPLORER.EXE and click End Process Tree.
On Windows 9x/ME

Download and install a third-party process viewer like Process Explorer.
Run process viewer.
In the list of running programs, select and terminate the process EXPLORER.EXE.
Close the process viewer.

Switch to the command prompt.
Hold the ALT key then continue pressing TAB until you arrive at the command prompt window.
Enter the following on the command prompt:
del %System%\shimgapi.dll

Restart the EXPLORER.EXE process by entering EXPLORER.EXE on the command prompt.
Close command prompt.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor.
To do this, click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run

In the right panel, locate and delete the entry or entries:
TaskMon = %System%\taskmon.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

(Note: Some registry entries may point to a legitimate Windows utility with the same file name, TASKMON.EXE, and that can be found in the Windows folder on some systems.)

In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Run

In the right panel, locate and delete the entry or entries, if found:
TaskMon = %System%\taskmon.exe
Removing Other Malware Entries from the Registry

Still in Registry Editor, in the left panel, double click the following:
HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}>
InProcServer32
In the right panel, locate and modify the entry:
(Default) = “%System%\shimgapi.dll”
and change it to
%System%\webcheck.dll

Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MYDOOM.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Balance INDEX

Pages-by-Topic

Spiritual Guidance