What is
the MyDoom.B Worm?
The MyDoom.B is a variation of the
original MyDoom.A worm released on January 26, 2004. It
spoofs the FROM address of its messages so that they appear to be sent
from another email address rather than the actual infected machine and
user. It also travels via the Kazaa peer-to-peer file sharing network.
The mass mailing worm arrives as an attachment with a file extension of
.bat, .cmd, .exe, .pif, .scr, or .zip.
The
worm performs a denial of service attack against www.sco.com. It will
begin this attack if the system date is February 1, 2004 and has a
built-in expiration date of March 1, 2004 when it will stop running
most of its routines. When the system date is February 3,
2004 it begins a DoS attack against www.microsoft.com
|
|
Like its
earlier variant, this worm also has a backdoor component.
This worm
runs a backdoor component, which it drops as the file CTFMON.DLL. This
trojan component allows remote users to access and manipulate infected
systems. The backdoor routine has the ability to download and execute
arbitrary files.
It runs on
Windows 98, ME, NT, 2000 and XP.
From: <Spoofed email address>
Subject:
(any of the following)
- Error
- Status
- Server
Report
- Mail
Transaction Failed
- Mail
Delivery System
- hello
- hi
- Delivery
Error
- Unable
to deliver the message
Message
Body: (any of the following)
- The
message contains Unicode characters and has been sent as a binary
attachment.
- The
message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.
- Mail
transaction failed. Partial message is available.
- Error
#804 occured during SMTP session. Partial message has been received.
- The
message contains MIME-encoded graphics and has been sent as a binary
attachment.
- test
- sendmail
daemon reported:Error #804 occured during SMTP session. Partial message
has been received.
- <blank
message body>
- <garbage
strings>
Attachment:
- body
- doc
- test
- document
- data
- file
- readme
- message
with
one of the following suffixes:
How
Does MyDoom.B Worm Infect My System?
When the
worm is activated, it performs the following tasks:
- Creates
the following files:
- "CTFMON.DLL"
in %System%
- "explorer.exe"
in %System%
The
file ctfmon.dll acts as a proxy server that can potentially
allow a hacker to connect to the machine via and utilize it as a proxy
to gain access to it's network resources. In addition, the backdoor has
the ability to download and execute arbitrary files.
CTFMON.DLL
is loaded by EXPLORER.EXE via the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
InProcServer32
(Default) = %System%\ctfmon.dll
- Adds the
Startup Entry
Explorer = %System%\explorer.exe
to the registry keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Starting
on February 1, 2004 it can perform a Denial of Service against
www.sco.com. On February 3, 2004 it also starts a DoS attack on
www.microsoft.com . The DoS attack will continue until March 1, 2004.
This malware
also overwrites the HOSTS file to prevent the infected users from
accessing the following sites:
- ad.doubleclick.net
- ad.fastclick.net
- ads.fastclick.net
- ar.atwola.com
- atdmt.com
- avp.ch
- avp.com
- avp.ru
- awaps.net
- banner.fastclick.net
- banners.fastclick.net
- ca.com
- click.atdmt.com
- clicks.atdmt.com
- dispatch.mcafee.com
- download.mcafee.com
- download.microsoft.com
- downloads.microsoft.com
- engine.awaps.net
- fastclick.net
- f-secure.com
- ftp.f-secure.com
- ftp.sophos.com
- go.microsoft.com
- liveupdate.symantec.com
- mast.mcafee.com
- mcafee.com
- media.fastclick.net
- msdn.microsoft.com
- my-etrust.com
- nai.com
- networkassociates.com
- office.microsoft.com
- phx.corporate-ir.net
- secure.nai.com
- securityresponse.symantec.com
- service1.symantec.com
- sophos.com
- spd.atdmt.com
- support.microsoft.com
- symantec.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- vil.nai.com
- viruslist.ru
- windowsupdate.microsoft.com
- www.avp.ch
- www.avp.com
- www.avp.ru
- www.awaps.net
- www.ca.com
- www.fastclick.net
- www.f-secure.com
- www.kaspersky.ru
- www.mcafee.com
- www.microsoft.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.ru
- www3.ca.com
However,
if the system date is greater than or equal to February 3, 2004, it
does not add the line “0.0.0.0 www.microsoft.com”
to the HOSTS file so that it may perform its DoS attack on this
website.
- Creates
the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
- Searches
the Windows Address book (including in the Temporary Internet Files
folder) for email addresses and domain names.
- Attempts
to send emails by using its own SMTP engine.
- This
virus checks all running process in the infected system and searches
for the presence of its mother variant, WORM_MYDOOM.A. It
terminates all processes that runs the module SHIMGAPI.DLL or if the
process name is TASKMON.EXE.
- Then, it
drops a copy of itself in the Kazaa shared folder with a file name that
starts from any of the following:
- NessusScan_pro
- attackXP-1.26
- winamp5
- MS04-01_hotfix
- zapSetup_40_148
- BlackIce_Firewall_Enterpriseactivation_crack
- xsharez_scanner
- icq2004-final
How
Can I Remove the MyDoom.B virus?
Follow
these steps in removing the MyDoom.B worm.
1) Restart your Computer in
Safe mode by pressing F8 as the computer is booting. The
backdoor component attaches itself to the Explorer.exe file, so
restarting in Safe mode should allow you to remove it the easiest.
2) Remove
the Registry entries
(deleting the wrong item
in the registry can render your computer unbootable, do not follow
these steps unless you have made a backup of the registry or can
recover from a corrupted registry)
- Click on
Start, Run, Regedit
- In the
left panel go to the following keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- In the
right panel, right-click and delete the following entry
"Explorer = %System%\explorer.exe"
- In the
left panel go to the following keys and delete them
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
- In the left panel go to the following key
HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}>
InProcServer32
- In the
right pane, modify the value as follows, depending on your operating
system:
(Default) =
“%System%\ctfmon.dll”
3) Delete
the infected files (for Windows ME and
XP you may have to disable
system restore to remove infected backed up files as well)
4) Reboot
the computer and run a thorough virus scan using your favorite
antivirus program or online scan at
http://housecall.antivirus.com
For More Information on this original MyDoom virus click here
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|