Dirty Boyz
05-02-2004, 05:51
Mydoom (Also known as Novarg) is a Windows-based worm which is spreading at an astounding rate appearing in at least 1 out of 12 emails.
It is a mass mailer which attempts to generate its own email addresses causing outbound mail queues to get heavily clogged with repeated requests. It is also widely spread in peer-to-peer environments such as KaZaa.
The worm uses a very old-fashioned approach of requiring a user to click on the attachment to trigger its activity. Once downloaded Mydoom opens TCP port 3127 used for remote access suggesting there are more sinister functionalities included. Apparently a large number of users are doing this as the virus is being rated as a highly infectious beast by the major anti-virus vendors, including Symantec and Network Associates. The worm attacks all Microsoft operating systems including Windows 95, 98, Me, NT, 2000 and XP.
Characteristics
# It will appear in your inbox as an email from a spoofed email sender with varying subject titles including hi, hello, mail delivery system and server report. The body of the message can also appear in a few variations including 'mail transaction failed' and 'the message contains unicode characters and has been sent as a binary attachment'. Most importantly the danagerous atachment which appears with the message may be of the file type >bat, .exe, .scr, .pif or even called message.zip, readme.zip or document.zip, although each of these messages may appear with a small text file icon such as << File: 100983icn[1].gif >> . On execution
# When this file is opened or run appears as a text message filled with nonsense characters but silently copies itself into the Windows System directory as an application called taskmon.exe.
Method of Infection
# Mydoom is propagated by harvesting addresses from the infected users computer and by copying itself to the shared directory for KaZaa clients if they are present. All harvested viruses are sent the worm via SMTP with the worm guessing at the recipient mail server by suffixing the taregt domain name with strings such as mx., mail., smtp., relay. and other variations.
Removal instructions
# Once infected removal tools must be used such as those provided by Mcafee in the form of the Stinger tool available for download at . Furthermore if you are using Windows ME or Windows XP you must ensure you turn off your XP Restore functionality as the restore utility backs up selected files automatically to the C:\_Restore folder where the worm can be stored and remain hidden from any Virus scanning software. In order to remove the infected files you must first disable the System Restore Utility and then remove the infected files from the C:\_Restore folder as detailed below:
WindowsME
# 1. Right click the My Computer icon on the Desktop and click on Properties.
# 2. Click on the Performance tab.
# 3. Click on the File System button.
# 4. Click on the Troubleshooting tab.
# 5. Put a check mark next to 'Disable System Restore'.
<< File: MESysRestore[1].gif >>
# 6. Click the 'OK' button.
# 7. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.
WindowsXP
Disabling the System Restore Utility (Windows XP Users)
# 1. Right click the My Computer icon on the Desktop and click on Properties.
# 2. Click on the System Restore tab.
# 3. Put a check mark next to 'Turn off System Restore on All Drives'.
<< File: XPsysRestore[1].gif >>
# 4. Click the 'OK' button.
# 5. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility after you have cleaned the specified folder, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.
It is a mass mailer which attempts to generate its own email addresses causing outbound mail queues to get heavily clogged with repeated requests. It is also widely spread in peer-to-peer environments such as KaZaa.
The worm uses a very old-fashioned approach of requiring a user to click on the attachment to trigger its activity. Once downloaded Mydoom opens TCP port 3127 used for remote access suggesting there are more sinister functionalities included. Apparently a large number of users are doing this as the virus is being rated as a highly infectious beast by the major anti-virus vendors, including Symantec and Network Associates. The worm attacks all Microsoft operating systems including Windows 95, 98, Me, NT, 2000 and XP.
Characteristics
# It will appear in your inbox as an email from a spoofed email sender with varying subject titles including hi, hello, mail delivery system and server report. The body of the message can also appear in a few variations including 'mail transaction failed' and 'the message contains unicode characters and has been sent as a binary attachment'. Most importantly the danagerous atachment which appears with the message may be of the file type >bat, .exe, .scr, .pif or even called message.zip, readme.zip or document.zip, although each of these messages may appear with a small text file icon such as << File: 100983icn[1].gif >> . On execution
# When this file is opened or run appears as a text message filled with nonsense characters but silently copies itself into the Windows System directory as an application called taskmon.exe.
Method of Infection
# Mydoom is propagated by harvesting addresses from the infected users computer and by copying itself to the shared directory for KaZaa clients if they are present. All harvested viruses are sent the worm via SMTP with the worm guessing at the recipient mail server by suffixing the taregt domain name with strings such as mx., mail., smtp., relay. and other variations.
Removal instructions
# Once infected removal tools must be used such as those provided by Mcafee in the form of the Stinger tool available for download at . Furthermore if you are using Windows ME or Windows XP you must ensure you turn off your XP Restore functionality as the restore utility backs up selected files automatically to the C:\_Restore folder where the worm can be stored and remain hidden from any Virus scanning software. In order to remove the infected files you must first disable the System Restore Utility and then remove the infected files from the C:\_Restore folder as detailed below:
WindowsME
# 1. Right click the My Computer icon on the Desktop and click on Properties.
# 2. Click on the Performance tab.
# 3. Click on the File System button.
# 4. Click on the Troubleshooting tab.
# 5. Put a check mark next to 'Disable System Restore'.
<< File: MESysRestore[1].gif >>
# 6. Click the 'OK' button.
# 7. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.
WindowsXP
Disabling the System Restore Utility (Windows XP Users)
# 1. Right click the My Computer icon on the Desktop and click on Properties.
# 2. Click on the System Restore tab.
# 3. Put a check mark next to 'Turn off System Restore on All Drives'.
<< File: XPsysRestore[1].gif >>
# 4. Click the 'OK' button.
# 5. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility after you have cleaned the specified folder, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.