Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

EMERGENCY ALERT: Mimail.R, Novarg.A, Shimg, W32.Novarg.A@mm, W32/Mydoom@MM, Win32.MMa

13K views 100 replies 20 participants last post by  bassetman 
#1 ·
EMERGENCY ALERT: Many reports of W32/MyDoom-A worm

If you have been infected with this worm, Click Here to obtain the removal tool from Symantec.

Save the file to a convenient location, such as your downloads folder or the Windows desktop, or removable media known to be uninfected.
Close all the running programs before running the tool.
If you are on a network, or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
If you are running Windows Me or XP, then disable System Restore.


"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

What You Should Know About the Mydoom Worm Variants: Mydoom.A, Mydoom.B, and Mydoom.C (a.k.a. Doomjuice)
Published: January 27, 2004 | Updated: February 10, 2004 - 1:30 P.M. Pacific Time

Important New Information
A new variant of the Mydoom worm, known as Mydoom.C (or Doomjuice), was detected on the Internet on February 9. Currently spreading to computers that were already infected with Mydoom.A, Mydoom.C causes computers to be used in attacks against other computers on the Internet. Infection by Mydoom.C can degrade both computer performance and network connections.

If you suspect that you have this worm or just want to be sure you do not, click here and scroll down to the utility that Microsoft has provided to "Automatically Check Your PC for Infection" and click the "Check my PC for infection" button and it will scan your machine for all known variants of MyDoom.

If your machine is infected there is a link just below the utility that provides intructions for removal and a link to the removal tool.


Sophos has received many reports of sightings of the new
email-aware W32/MyDoom-A worm, and is warning system
administrators around the world to ensure their systems
are protected.

A detailed analysis of W32/MyDoom-A is available at:
http://www.sophos.com/virusinfo/analyses/w32mydooma.html

Aliases
Mimail.R, Novarg.A, Shimg, W32.Novarg.A@mm, W32/Mydoom@MM

Type
Win32 worm

W32/MyDoom-A is a worm which travels by email. The worm harvests email addresses from your hard disk and uses randomly-chosen addresses for both the "to" and "from" fields. This means that the "from" address is spoofed and does not tell you where the mail really came from.
W32/MyDoom-A arrives in emails with the following characteristics:

Subject lines include:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Attachment names include:
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attachment extensions:
bat
cmd
exe
pif
scr
zip

W32/MyDoom-A attaches itself to emails in either EXE (Windows program) or ZIP (Zip archive) format.

W32/MyDoom-A drops itself to your System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.

W32/MyDoom-A adds the value:

Taskmon = taskmon.exe

to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/MyDoom-A loads every time you logon to your computer

Further reading:MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack
 
See less See more
#2 ·
#4 ·
Yea when I first got that email about this I didn't realize it was the same as Win32.MMail.A. I'm sure we'll be seeing it pop up a lot here.

I'm curious to see if Adaware thoroughly removes it. I'm sure it will. :)
 
#6 ·
I just got this from SWI:

SWI Readers,

There is a widespread outbreak of the WORM_MIMAIL.R email worm.

This worm is spoofing the sender's email address. If you receive one of these emails, the person in the FROM: address is NOT the person who sent it to you.

If you are running an email server with antivirus software that bounces virus infected emails, FOR GOD'S SAKE STOP BOUNCING THEM! You are participating in a denial of service attack by bouncing viruses at people who are not infected. You could even infect them yourself! STOP BOUNCING THEM!

If you receive an email like the one described below, DON'T OPEN IT! Delete it immediately, update your antivirus program and scan. If you don't have an antivirus, get one.
http://www.nod32.com/ Nod32 $39.00 (The best AV available)
http://www.grisoft.com/ AVG Free (Good enough for the price)

Description From Trendmicro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

A new variant of the MIMAIL worm has been found in the wild. As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a yellow alert to control the spread of WORM_MIMAIL.R.

Also known as W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm

This mass-mailing worm selects from a list of email subjects, message bodies, and attachment file names. It can also propagate using the Kazaa peer-to-peer file sharing network.

It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.

It runs on Windows 98, ME, NT, 2000 and XP.

It sends email with the following details:

Subject: (any of the following)
. Error
. Status
. Server Report
. Mail Transaction Failed
. Mail Delivery System
. hello
. hi

Message Body: (any of the following)
. The message contains Unicode characters and has been sent as a binary attachment.
. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
. Mail transaction failed. Partial message is available.
. test

Attachment: &ltRandom name>.zip

Post this on every message board you can find. Get the word out. If you have a friend or family member who does not understand how to operate an antivirus, please check that they are updated and protected. If you know someone running antivirus on an email server, please tell them to turn off the bounce feature.

The normal SWI newsletter is going to be a day or two late. I am having bad weather here and it's interrupting my internet connection.

Regards,

Mike Healan
Editor
www.spywareinfo.com
 
#7 ·
I am sticking this thread for a while as it appears we are going to be seeing this alot.

If you have been infected by this worm the latest referencefile released for Adaware should remove it so please do the follwing:

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.
 
#13 ·
If you get infected, and run Ad-Aware ... you will see something like this:

Win32.MMail.A Object recognized!
Type : File
Data : shimgapi.dll
Category : Malware
Comment :
Object : C:\WINNT\system32\
FileSize : 4 KB
Created on : 1/27/2004 4:37:21 PM
Last accessed : 1/27/2004 6:01:23 PM
Last modified : 1/27/2004 4:37:21 PM

Mark it for deletion ... then you will need to re-boot in order to remove it fully.
 
#17 ·
Maybe your ISP has an antivirus that removed the virus before delivering the email. What are the contents of "Unknown.txt"?
Open it by going to File>>Open in Notepad. That way you are safe if it turns out its actually named unknown.txt.exe or .txt.scr or something else.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top