|
What
is the MyDoom.B Worm?
The MyDoom.B is a
variation of the original MyDoom.A worm released
on January 26, 2004. It spoofs the FROM address
of its messages so that they appear to be sent
from another email address rather than the actual
infected machine and user. It also travels via
the Kazaa peer-to-peer file sharing network. The
mass mailing worm arrives as an attachment with a
file extension of .bat, .cmd, .exe, .pif, .scr,
or .zip.
The worm performs a
denial of service attack against www.sco.com. It
will begin this attack if the system date is
February 1, 2004 and has a built-in expiration
date of March 1, 2004 when it will stop running
most of its routines. When the system date is
February 3, 2004 it begins a DoS attack against
www.microsoft.com
Like its earlier
variant, this worm also has a backdoor component.
This worm runs a
backdoor component, which it drops as the file
CTFMON.DLL. This trojan component allows remote
users to access and manipulate infected systems.
The backdoor routine has the ability to download
and execute arbitrary files.
It runs on Windows
98, ME, NT, 2000 and XP.
From:
<Spoofed email address>
Subject: (any
of the following)
- Error
- Status
- Server Report
- Mail Transaction
Failed
- Mail Delivery
System
- hello
- hi
- Delivery Error
- Unable to deliver
the message
Message Body:
(any of the following)
- The message
contains Unicode characters and has been sent
as a binary attachment.
- The message
cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
- Mail transaction
failed. Partial message is available.
- Error #804
occured during SMTP session. Partial message
has been received.
- The message
contains MIME-encoded graphics and has been
sent as a binary attachment.
- test
- sendmail daemon
reported:Error #804 occured during SMTP
session. Partial message has been received.
- <blank message
body>
- <garbage strings>
Attachment:
- body
- doc
- test
- document
- data
- file
- readme
- message
with one of
the following suffixes:
How
Does MyDoom.B Worm Infect My System?
When the worm is
activated, it performs the following tasks:
- Creates the
following files:
The file
ctfmon.dll acts as a proxy server that
can potentially allow a hacker to connect to
the machine via and utilize it as a proxy to
gain access to it's network resources. In
addition, the backdoor has the ability to
download and execute arbitrary files.
CTFMON.DLL is
loaded by EXPLORER.EXE via the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
InProcServer32
(Default) = %System%\ctfmon.dll
- Adds the Startup
Entry
Explorer = %System%\explorer.exe
to the registry keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Starting on
February 1, 2004 it can perform a Denial of
Service against www.sco.com. On February 3,
2004 it also starts a DoS attack on
www.microsoft.com . The DoS attack will
continue until March 1, 2004.
This malware also
overwrites the HOSTS file to prevent the
infected users from accessing the following
sites:
-
ad.doubleclick.net
-
ad.fastclick.net
-
ads.fastclick.net
- ar.atwola.com
- atdmt.com
- avp.ch
- avp.com
- avp.ru
- awaps.net
-
banner.fastclick.net
-
banners.fastclick.net
- ca.com
- click.atdmt.com
-
clicks.atdmt.com
-
dispatch.mcafee.com
-
download.mcafee.com
-
download.microsoft.com
-
downloads.microsoft.com
-
engine.awaps.net
- fastclick.net
- f-secure.com
-
ftp.f-secure.com
- ftp.sophos.com
-
go.microsoft.com
-
liveupdate.symantec.com
- mast.mcafee.com
- mcafee.com
-
media.fastclick.net
-
msdn.microsoft.com
- ......
However, if the
system date is greater than or equal to
February 3, 2004, it does not add the line
"0.0.0.0 www.microsoft.com" to the HOSTS file
so that it may perform its DoS attack on this
website.
- Creates the
following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
- Searches the
Windows Address book (including in the
Temporary Internet Files folder) for email
addresses and domain names.
- Attempts to send
emails by using its own SMTP engine.
- This virus checks
all running process in the infected system and
searches for the presence of its mother
variant, WORM_MYDOOM.A. It terminates all
processes that runs the module SHIMGAPI.DLL or
if the process name is TASKMON.EXE.
- Then, it drops a
copy of itself in the Kazaa shared folder with
a file name that starts from any of the
following:
- NessusScan_pro
- attackXP-1.26
- winamp5
- MS04-01_hotfix
- zapSetup_40_148
-
BlackIce_Firewall_Enterpriseactivation_crack
- xsharez_scanner
- icq2004-final
How to Remove the MyDoom.B virus?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects MyDoom.B during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the MyDoom.B worm.
1) Restart your
Computer in Safe mode by pressing F8 as the
computer is booting. The backdoor component
attaches itself to the Explorer.exe file, so
restarting in Safe mode should allow you to
remove it the easiest.
2) Remove the
Registry entries
(deleting the wrong item in
the registry can render your computer unbootable,
do not follow these steps unless you have made a
backup of the registry or can recover from a
corrupted registry)
- Click on Start,
Run, Regedit
- In the left panel
go to the following keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- In the right
panel, right-click and delete the following
entry
"Explorer = %System%\explorer.exe"
- In the left panel
go to the following keys and delete them
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
- In the left panel go to the following key
HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}>
InProcServer32
- In the right
pane, modify the value as follows, depending on
your operating system:
(Default) = "%System%\ctfmon.dll"
3) Delete the
infected files (for Windows ME and
XP you may have to
disable system restore to remove infected
backed up files as well)
4) Reboot the
computer and run a thorough virus scan using your
favorite antivirus program. If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
MyDoom.B,
click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
| 
