What is the MyDoom.H Worm?

The MyDoom.H worm:

• Is a mass-mailing worm that opens a backdoor on TCP ports 80 and 1080.
• Can download and execute arbitrary files.
• Performs a Denial of Service (DoS) against www.symantec.com.

Also known as: W32/MyDoom.H@MM, WORM_MyDoom.H, W32/MyDoom-H, I-Worm.MyDoom.H, Win32.MyDoom.H

How Does MyDoom.H Worm Infect My System?

1. Creates a mutex, "<string>theta," where <string> is a function of an infected computer's name. This allows only one instance of the worm to execute in memory.
   
   
2. May create a file in the %Temp% folder that contains randomly generated data. The worm opens the file with Notepad.exe.
   
   
3. Creates two files in the %System% folder:
   • <random>.exe or <random>.scr: A copy of the worm executable.
   • <random>.dll: A .dll file that implements the worm's backdoor functionality
     
     where <random> represents the file names, which are randomly generated and consist of one upper- or lower-case letter, followed by a varying number of lower-case letters. For example: Abcde.dll or fghi.exe.
     
     
4. Opens a backdoor listening on TCP ports 80 and 1080, using the .dll component, which acts as a proxy server and can also download and execute the arbitrary files.
   
   
5. Terminates numerous processes and attempts to delete the associated files. The worm targets the processes and files that antivirus software uses, and some associated with other worms.
   
   The worm terminates the following processes by name:
   
   • adaware.exe
   • alevir.exe
   • arr.exe
   • au.exe
   • backweb.exe
   • bargains.exe
   • belt.exe
   • blss.exe
   • bootconf.exe
   • bpc.exe
   • brasil.exe
   • bundle.exe
   • bvt.exe
   • cfd.exe
   • cmd32.exe
   • ......
     
     
     and any processes containing the following strings:
     
   • avpupd
   • avwupd
   • beagle
   • click
   • ......
     
     
6. Iterates through all the drives (hard drive, remote drive, or RAM drive), C through Z, and does one of the following:
   • Creates randomly named copies of itself as a .exe file in randomly selected folders.
   • Creates .zip archive files using randomly generated file names.
     
     
7. Adds the value:
   
   "<random lowercase letters>" = "%System%\<the filename of the worm>"
   
   to one of these registry keys:
   
   • HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     
     so that the worm runs when you restart Windows.
     
     
8. Adds the value:
   
   "(Default)" = "%System%\<random dll filename>.dll"
   
   to the registry keys:
   
   • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
     InprocServer32
   • HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\
     InprocServer32
     
     so that Explorer.exe loads the backdoor dll.
     
     
9. Checks for the existence of the file, C:\Feedlist. The DoS is performed by creating between 8-80 new threads that send GET requests and use a direct connection to port 80. There is no cut-off date for the DoS.
   
   
10. Searches drives C to Z for the files with the following extensions:
    
    • .avi
    • .doc
    • .jpg
    • .mp3
    • .mp4
    • .wav
    • .wma
    • .xls
      
      The worm creates new copies of itself, using the file names it finds, plus a .exe or .scr extension.
      
      For example, if it finds a file named "file.doc," it may copy itself as "file.doc.exe." In addition, it may overwrite some .pif files.
      
      
11. Searches drives C to Z for the files that have the following extensions, and for any files whose names contain "Inbox:"
    
    • .adb
    • .asp
    • .dbx
    • .eml
    • .htm
    • .mbx
    • .mht
    • .mmf
    • .msg
    • .nch
    • .php
    • .rtf
    • .sht
    • .tbb
    • .txt
    • .uin
    • .wab
      
      If the drive is a hard drive or RAM drive, the worm will retrieve the email addresses from the files it finds.
      
      
12. Retrieves the email addresses from the %Temporary Internet Files% folder and the Windows address book.
    
    
13. The worm avoids the email addresses that contain certain strings, including:
    
    • berkeley
    • bsd
    • example.com
    • fsf.
    • gnu.
    • google.
    • ibm.com
    • isc.org
    • isi.edu
    • kernel.
    • mit.edu
    • mozilla.
    • packetstorm
    • rfc-edit
    • rutgers.edu
    • secur
    • sendmail.
    • sf.net
    • slashdot.
    • sourceforge
    • stanford.edu
    • uci.edu
    • ucsd.edu
    • unix
    • urlon
    • ymante
      
      
14. Uses its own engine to send itself, or its .zip archive, to the email addresses it finds. The email has the following characteristics:
    
              From: (The senders name may be one of the following)
    
    • alex
    • bill
    • bob
    • ......
      
      
      with one of the following domains:
      
    • aol.com
    • msn.com
    • yahoo.com
    • hotmail.com
    • <random characters>.edu
      
      
      Subject: (One of the following)
    • <blank>
    • :)
    • :-)
    • Address verification
    • Alert
    • ......
      
      
      Message: (One of the following)
    • Details are in the attached document
    • Full message is in the attached documen
    • Here is the document
    • ......
      
      
      Attachment: (The attachment name is randomly constructed. The base file name is selected from the following.)
      
    • AttachedDocument
    • AttachedFile
    • Document
    • ......
      
      
      The file extension is selected from the following:
      
    • exe
    • scr
    • pif
    • cmd
    • bat
    • com
    • zip
      
      The file name may include random numbers: For example, "readme4859.scr." The attachment may have two extensions, as with previous variants of Mydoom.

How to Remove the MyDoom.H virus?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects MyDoom.H during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the MyDoom.H worm.

1. Disable System Restore (Windows Me/XP).
   
   For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to Disable System Restore in Windows ME or Windows XP.
   
   
2. Update the virus definitions. 
   
   If you do not know which anti-virus software can provide strong protection for you Kaspersky Internet Security is recommended.
   
   
3. Restart the computer in Safe mode or VGA mode.
   
   
4. Run a full system scan and delete all the files detected as MyDoom.H.
   
   1) Start your Kaspersky Internet Security and make sure that it is configured to scan all the files; 2) Run a full system scan; 3) If any files are detected as infected with MyDoom.H, click Delete.
   
   
5. Delete the values that were added to the registry.


1. Click Start, and then click Run. (The Run dialog box appears.)
   
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
3. Navigate to each of these keys:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
4. In the right pane, delete the value that the worm added:
   
   "<random, lowercase letters>" = "%System%\<the filename of the worm>"
   
   
5. Exit the Registry Editor.
   
6. Reregistering the Windows .dll files
   This will remove the registry modifications responsible for loading the backdoor .dll file and restore the default settings.
   
   1. Click Start, and then click Run. (The Run dialog box appears.)
   2. Type, or copy and paste, the following text:
      
      regsvr32 webcheck.dll
      
      
   3. Click OK. When you see the message, "DllRegisterServer in webcheck.dll succeeded," click OK.
   4. Click Start, and then click Run.
   5. Type, or copy and paste, the following text:
      
      regsvr32 stobject.dll
      
      
   6. Click OK. When you see the message, "DllRegisterServer in stobject.dll succeeded," click OK.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Do you think this website is useful? Help us to keep the site growing.

Detect and Removal Instruction for Other Variants: