What is the MyDoom Worm?

The MyDoom worm appears to be a variant of the MiMail viruses that have traveled the Internet in the last few months. The mass mailing worm that arrives as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.

The worm performs a denial of service (DoS) attack against the website www.sco.com. It will begin this attack if the system date is February 1, 2004 and has a built-in expiration date of February 12, 2004 when it will stop running most of its routines.

This worm runs a backdoor component, which it drops as the file SHIMGAPI.DLL. This trojan component opens TCP ports 3127 thru 3198 to allow remote users to access and manipulate infected systems. The backdoor routine has the ability to download and execute arbitrary files.

The worm can also infect through the Kazaa peer-to-peer file sharing network.

It runs on Windows 98, ME, NT, 2000 and XP.

From: <Spoofed email address>

Subject: (any of the following)

• Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi
• test

Message Body: (any of the following)

• The message contains Unicode characters and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.
• test

Attachment:

• document
• readme
• doc
• text
• file
• data
• test
• message
• body

with one of the following suffixes:

• pif
• scr
• exe
• cmd
• bat
• zip

How Does Novarg.A or MyDoom.A Worm Infect My System?

When the worm is activated, it performs the following tasks:
 

1. Creates the following files:
    
   • "shimgapi.dll" in %System%
   • "Message" in %temp%. This file is full of random letters and is displayed via Notepad.
   • "taskmon.exe" in %System%. If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.

   The file Shimgapi.dll acts as a proxy server opening TCP ports in the range of 3127 to 3198 for listening. This can  potentially allow a hacker to connect to the machine via these ports and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

   Shimgapi.dll is loaded by EXPLORER.EXE via the registry key:
   
   HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll
    

2. Adds the Startup Entry
   
   TaskMon = %System%\taskmon.exe
   
   to the registry keys
   
   HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
   or
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
    
3. Starting on February 1, 2004 it can perform a Denial of Service against www.sco.com using a direct connection to port 80. Creates 64 threads which send GET requests. The DoS attack will continue until February 12, 2004.
   
    
4. Creates the following registry keys:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
   Explorer\ComDlg32\Version
   and
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
   Explorer\ComDlg32\Version
   
    
5. Searches the Windows Address book and other files with the following file extensions (including in the Temporary Internet Files folder) for email addresses and domain names. It ignores addresses which end in ".edu".
    
   • .htm
   • .sht
   • .php
   • .asp
   • .dbx
   • .tbb
   • .adb
   • .pl
   • .wab
   • .txt
6. It adds any of the prefixes below to obtained domain names for possible SMTP access
   • mx.
   • mail.
   • smtp.
   • mx1.
   • mxs.
   • mail1.
   • relay.
   • ns.
   • gate.

   It assumes that an SMTP service exists on the resulting strings (e.g. mx.domain_name.com, mail.domain_name.com) and connects to these services via SMTP port 25.

7. Attempts to send emails by using its own SMTP engine. It performs a lookup of the mail server of the recipient in order to send. If it is unsuccessful it will use the local mail server.
   
   It avoids sending emails to domain names and email address that contain certain text strings.
    
8. Copies itself to KaZaA download directory as one of the following files:
    
   • winamp5
   • icq2004-final
   • activation_crack
   • strip-girl-2.0bdcom_patches
   • rootkitXP
   • office_crack
   • nuke2004

   with a file extension of

   • pif
   • scr
   • bat
   • exe

How to Remove the MyDoom.A or Novarg.A worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects MyDoom during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the worm.

1) Restart your Computer in Safe mode by pressing F8 as the computer is booting. The backdoor component attaches itself to the Explorer.exe file, so restarting in Safe mode should allow you to remove it the easiest.

2) Remove the Registry entries
(deleting the wrong item in the registry can render your computer unbootable, do not follow these steps unless you have made a backup of the registry or can recover from a corrupted registry)

• Click on Start, Run, Regedit
• In the left panel go to the following keys
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• In the right panel, right-click and delete the following entry
  
  "Taskmon"="%System%\taskmon.exe"
   
• In the left panel go to the following keys and delete them
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
   
• In the left panel go to the following key
  
  HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
   
• In the right pane, modify the value as follows, depending on your operating system:
  
  (Default) = "%System%\shimgapi.dll"
   

3) Delete the infected files (for Windows ME and XP  you may have to disable system restore to remove infected backed up files as well)

• Click Start, point to Find or Search, and then click Files or Folders.
   
• Make sure that "Look in" is set to (C:\WINDOWS\SYSTEM).
   
• In the "Named" or "Search for..." box, type, or copy and paste, the file names:
  
  shimgapi.dll (in the Windows\System folder)
  taskmon.exe (in the Windows\System folder)
  ** Note: DO NOT DELETE ANY INSTANCE OF TASKMON.EXE IN THE NORMAL WINDOWS FOLDER
   
• Click Find Now or Search Now.
   
• Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program. If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with MyDoom.B, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: