Novastream - IT Systems, Software & Support

The MyDoom virus and how to get rid of it.

First how to get rid of MyDoom:-

1. Go to www.pandasoftware.co.uk and download the quick remove tool for this virus.

This will remove the worm.

Now whats it all about? :-

The MyDoom virus appeared all over the internet on Wednesday 28th Jan 2004. This virus is actually a worm that is spread by email and the Kazaa p2p system. An email message with some of the any of the following subjects may have the worm:

    error
    hello
    hi
    mail delivery system
    mail transaction failed
    server report
    status
    test
    or just random characters

If you open the attachment in the email the worm is activated and it begins to send itself to other people in your address book.

The MyDoom worm creates a file called taskmon.exe in the system or temp folder and adds the following registry entry to run this file every time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe

Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder so dont delete that by accident.

MyDoom also drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is run on startup:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= "<location of dll>"

The worm will also add the following entries to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Between the 1st and 12th February 2004, the worm will attempt a denial-of-service attempt to www.sco.com, sending numerous GET requests to the web server. After the 12th February MyDoom-A will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component.

What does it do to a machine?

It sends emails to other people to spread itself.

It opens a hole on your machine so hackers can take control of your machine from the internet and use it to attack the sco.com servers.

What the point of MyDoom?

It looks like the point is to set up a colossal attack on the webservers of Santa Cruz Operation Inc - co.com. SCO have recently started demanding payments from people using the Linux operating system that was considered by most people to be freeware but SCO say the code infringes their SCO Unix intellectual Property Rights. Linux is the operating system of choice for computer programmers, hackers and virus writes due to it's resistance to viruses and it looks like SCO's actions are not pleasing those communities. There is a court case going on in the US at present that will decide if SCO do have grounds for demanding payments for the use of their IPR.

The Anti-virus Solution

The only way to keep your machine safe from viruses is to get an anti-virus product. We trust and recommend the award winning Panda Titantium Anti-virus solutions for home users.

Panda Titanium Antivirus retail box (1 year support) only £28.54 +vat

Buy one now

The always up-to-date and install-and-forget antivirus for home users and home offices.

A latest generation security product with unrivalled capacity for detecting viruses and other threats. Its innovative technology automatically repairs system damage caused by viruses.

The ideal solution for users who need security combined with ease of use: it detects and resolves security holes, includes self-diagnosis and can reinforce itself against virus attacks. The most advanced security technology ensures maximum speed with minimum resource use.

Contact | Feedback | Site Map Copyright © 2004