What is the MyDoom.F Worm?

The Mydoom.F worm:

• Is a mass-mailing worm that opens a backdoor on TCP port 1080
• Can download and execute arbitrary files
• Will perform a Denial of Service (DoS) against www.microsoft.com and www.riaa.com, if the computer's local system date is between 17th and 22nd of any month.
• Sets up a backdoor in an infected system, by opening TCP port 1080. This could allow an attacker to connect to a computer and use it as a proxy to gain access to its network resources.

Also known as: W32/Mydoom.f@MM, WORM_MYDOOM.F, W32/MyDoom-F, I-Worm.Mydoom.f, Win32.Mydoom.F

How Does MyDoom.F Worm Infect My System?

1. Creates a mutex, "jmydoat<the infected computer name>Xmtx," which allows only one instance of the worm to execute in memory.
   
   
2. May display a fake message:
   
   Title: Error
   Text: (One of the following)
   
   • File is corrupted
   • File cannot be opened
   • Unable to open specified file
     
     
3. May create a file in the %Temp% folder that contains randomly generated data if it does not display the above message. The worm opens the file with notepad.exe. This behavior is identical to those of previous W32.Mydoom variants.
   
   
4. Copies itself to %System% folder using a randomly generated file name, made up of four to 13 lower case letters with a .exe extension.
   
   
5. Iterates through all the drives (hard drive, remote drive, or RAM drive), C through Z, attempting to drop randomly named copies of itself to all the folders containing the following strings:
   • "startup"
   • "start"
   • "shar"
     
     
6. Creates a .dll file in the %System% folder using a randomly generated file name, made up of four to eight lower case letters, with randomly generated data appended to the end of the .dll file.
   
   
7. Opens a backdoor listening on TCP port 1080, using the .dll component, which acts as a proxy server and can also download and execute the arbitrary files.
   
   
8. Terminates any processes whose name contains one of the following strings:
   
   • reged
   • taskmo
   • taskmg
   • avp.
   • avp32
   • norton
   • navapw
   • navw3
   • intrena
   • mcafe
     
     
9. Creates .zip archive files using randomly generated file names. Most likely, these will be found in the root or %Windir% folder.
   
   
10. Adds the value:
    
    "<four to eight random, lowercase letters>" = "%System%\<the filename of the worm>"
    
    to one of the registry keys:
    
    • HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\
      Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run
      
      so that the worm runs when you restart Windows.
      
      
11. Creates the following registry keys:
    
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Shell
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Shell
      
      
12. Checks the local system date. If the date is between the 17th and 22nd of any month, there is a 68% chance the worm will perform a DoS attack against www.microsoft.com, and a 32% chance of a DoS attack against www.riaa.com. The DoS is performed by creating random numbers of new threads that send GET requests and use a direct connection to port 80.
    
    
13. Searches the folders on drives C to Z for the files with the following extensions:
    
    • .mdb
    • .doc
    • .xls
    • .sav
    • .jpg
    • .avi
    • .bmp
      
      
14. If the drive is a hard drive, remote drive, or RAM drive, the worm randomly deletes the files it finds with the following probability:
    
    • .mdb - 98%
    • .doc - 40%
    • .xls - 60%
    • .sav - 95%
    • .jpg - 8%
    • .avi - 10%
    • .bmp - 15%
      
      
15. Searches the folders on drives C to Z for the files with the following extensions, and for any files whose names contain "Inbox."
    
    • .wab
    • .mbx
    • .nch
    • .mmf
    • .ods
    • .rtf
    • .uin
    • .oft
    • .mht
    • .vbs
    • .msg
    • .pl
    • .eml
    • .adb
    • .tbb
    • .dbx
    • .asp
    • .php
    • .sht
    • .htm
    • .txt
      
      
16. If the drive is a hard drive, remote drive, or RAM drive, the worm will retrieve the email addresses from the files it finds.
    
    
17. Retrieves the email addresses from the %TemporaryInternetFiles% folder and the Windows address book.
    
    
18. The worm avoids the email addresses that contain the following strings:
    
    • mozilla
    • utgers.ed
    • tanford.e
    • fsf.
    • gnu
    • mit.e
    • bsd
    • math
    • unix
    • berkeley
    • ripe.
    • arin.
    • sendmail
    • rfc-ed
    • ietf
    • ......
      
      
19. Uses its own engine to send itself, or its .zip archive, to the email addresses it finds. 
    

How to Remove the MyDoom.F virus?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects MyDoom.F during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the MyDoom.F worm.

1. Disable System Restore (Windows Me/XP).
   
   For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to Disable System Restore in Windows ME or Windows XP.
   
   
2. Update the virus definitions. 
   
   If you do not know which anti-virus software can provide strong protection for you Kaspersky Internet Security is recommended.
   
   
3. Restart the computer in Safe mode or VGA mode.
   
   
4. Run a full system scan and delete all the files detected as Mydoom.F.
   
   1) Start your Kaspersky Internet Security and make sure that it is configured to scan all the files; 2) Run a full system scan; 3) If any files are detected as infected with MyDoom.F, click Delete.
   
5. Delete the values that were added to the registry.


• Click Start, and then click Run. (The Run dialog box appears.)
  
  
• Type regedit
  
  Then click OK. (The Registry Editor opens.)
  
   
• Navigate to the key:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
   
• In the right pane, delete the value:
  
  "SystemChecker"="%System%\Syschk.exe"
  
   
• Navigate to the key:
  
  HKEY_CURRENT_USER
  
   
• In the right pane, delete the value
  
  "Cya"
  
   
• Exit the Registry Editor.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: