EMERGENCY ALERT: Many reports of W32/MyDoom-A worm
If you have been infected with this worm, Click Here to obtain the removal tool from Symantec.
Save the file to a convenient location, such as your downloads folder or the Windows desktop, or removable media known to be uninfected.
Close all the running programs before running the tool.
If you are on a network, or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
If you are running Windows Me or XP, then disable System Restore.
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
What You Should Know About the Mydoom Worm Variants: Mydoom.A, Mydoom.B, and Mydoom.C (a.k.a. Doomjuice)
Published: January 27, 2004 | Updated: February 10, 2004 - 1:30 P.M. Pacific Time
Important New Information
A new variant of the Mydoom worm, known as Mydoom.C (or Doomjuice), was detected on the Internet on February 9. Currently spreading to computers that were already infected with Mydoom.A, Mydoom.C causes computers to be used in attacks against other computers on the Internet. Infection by Mydoom.C can degrade both computer performance and network connections.
If you suspect that you have this worm or just want to be sure you do not, click here and scroll down to the utility that Microsoft has provided to "Automatically Check Your PC for Infection" and click the "Check my PC for infection" button and it will scan your machine for all known variants of MyDoom.
If your machine is infected there is a link just below the utility that provides intructions for removal and a link to the removal tool.
Sophos has received many reports of sightings of the new
email-aware W32/MyDoom-A worm, and is warning system
administrators around the world to ensure their systems
are protected.
A detailed analysis of W32/MyDoom-A is available at:
http://www.sophos.com/virusinfo/analyses/w32mydooma.html
Aliases
Mimail.R, Novarg.A, Shimg, W32.Novarg.A@mm, W32/Mydoom@MM
Type
Win32 worm
W32/MyDoom-A is a worm which travels by email. The worm harvests email addresses from your hard disk and uses randomly-chosen addresses for both the "to" and "from" fields. This means that the "from" address is spoofed and does not tell you where the mail really came from.
W32/MyDoom-A arrives in emails with the following characteristics:
Subject lines include:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Attachment names include:
body
data
doc
document
file
message
readme
test
[random collection of characters]
Attachment extensions:
bat
cmd
exe
pif
scr
zip
W32/MyDoom-A attaches itself to emails in either EXE (Windows program) or ZIP (Zip archive) format.
W32/MyDoom-A drops itself to your System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.
W32/MyDoom-A adds the value:
Taskmon = taskmon.exe
to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/MyDoom-A loads every time you logon to your computer
Further reading:MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack
If you have been infected with this worm, Click Here to obtain the removal tool from Symantec.
Save the file to a convenient location, such as your downloads folder or the Windows desktop, or removable media known to be uninfected.
Close all the running programs before running the tool.
If you are on a network, or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
If you are running Windows Me or XP, then disable System Restore.
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
What You Should Know About the Mydoom Worm Variants: Mydoom.A, Mydoom.B, and Mydoom.C (a.k.a. Doomjuice)
Published: January 27, 2004 | Updated: February 10, 2004 - 1:30 P.M. Pacific Time
Important New Information
A new variant of the Mydoom worm, known as Mydoom.C (or Doomjuice), was detected on the Internet on February 9. Currently spreading to computers that were already infected with Mydoom.A, Mydoom.C causes computers to be used in attacks against other computers on the Internet. Infection by Mydoom.C can degrade both computer performance and network connections.
If you suspect that you have this worm or just want to be sure you do not, click here and scroll down to the utility that Microsoft has provided to "Automatically Check Your PC for Infection" and click the "Check my PC for infection" button and it will scan your machine for all known variants of MyDoom.
If your machine is infected there is a link just below the utility that provides intructions for removal and a link to the removal tool.
Sophos has received many reports of sightings of the new
email-aware W32/MyDoom-A worm, and is warning system
administrators around the world to ensure their systems
are protected.
A detailed analysis of W32/MyDoom-A is available at:
http://www.sophos.com/virusinfo/analyses/w32mydooma.html
Aliases
Mimail.R, Novarg.A, Shimg, W32.Novarg.A@mm, W32/Mydoom@MM
Type
Win32 worm
W32/MyDoom-A is a worm which travels by email. The worm harvests email addresses from your hard disk and uses randomly-chosen addresses for both the "to" and "from" fields. This means that the "from" address is spoofed and does not tell you where the mail really came from.
W32/MyDoom-A arrives in emails with the following characteristics:
Subject lines include:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Attachment names include:
body
data
doc
document
file
message
readme
test
[random collection of characters]
Attachment extensions:
bat
cmd
exe
pif
scr
zip
W32/MyDoom-A attaches itself to emails in either EXE (Windows program) or ZIP (Zip archive) format.
W32/MyDoom-A drops itself to your System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.
W32/MyDoom-A adds the value:
Taskmon = taskmon.exe
to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/MyDoom-A loads every time you logon to your computer
Further reading:MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack