Jump to content
Sign in to follow this  
TCH-Dick

W32.mydoom.a@mm (also Known As W32.novarg.a)

Recommended Posts

W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

 

When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

 

In addition, the backdoor can download and execute arbitrary files.

 

There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date.

 

 

 

 

 

Removal using the Removal Tool

Symantec Security Response has developed a removal tool to clean the infections of W32.Mydoom.A@mm. This is the preferred method in most cases.

 

 

Manual Removal

Perform a manual removal if you cannot obtain the tool.

 

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

 

1. Disable System Restore (Windows Me/XP).

2. Update the virus definitions.

3. Restart the computer in Safe mode or VGA mode.

4. Run a full system scan and delete all the files detected as W32.Mydoom.A@mm.

5. Delete the values that were added to the registry.

6. Reregister the webcheck.dll file. (This will remove the registry modifications responsible for loading Shimgapi.dll.)

 

For specific details on each of these steps, read the following instructions.

 

1. Disabling System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

 

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

 

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

 

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

 

* "How to disable or enable Windows Me System Restore"

* "How to turn off or turn on Windows XP System Restore"

 

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

 

2. Updating the virus definitions

Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

 

* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).

* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

 

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

 

 

3. Restarting the computer in Safe mode or VGA mode

 

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.

 

* For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

* For Windows NT 4 users, restart the computer in VGA mode.

 

 

4. Scanning for and deleting the infected files

 

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.

* For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."

* For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."

2. Run a full system scan.

3. If any files are detected as infected with W32.Mydoom.A@mm, click Delete.

 

 

5. Deleting the values from the registry

 

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

 

1. Click Start, and then click Run. (The Run dialog box appears.)

2. Type regedit

 

Then click OK. (The Registry Editor opens.)

 

3. Navigate to each of these keys:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

4. In the right pane, delete the value:

 

"Taskmon"="%System%\taskmon.exe"

 

Note: %System% is a variable that refers to the location of the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

5. Exit the Registry Editor.

 

 

6. Reregistering the Webcheck.dll file

(This will remove the registry modifications responsible for loading Shimgapi.dll.)

 

1. Click Start, and then click Run. (The Run dialog box appears.)

2. Type, or copy and paste, the following text:

 

regsvr32 webcheck.dll

 

3. Click OK. When you see the message, "DllRegisterServer in webcheck.dll

succeeded," click OK.

Share this post


Link to post
Share on other sites

Mike:

 

Thanks for the instructions. I've cut-and-pasted them to send out to a few coworkers who's computers got hit with this. (Don't know if you wrote it or not, but I'm giving you credit, tho'!)

 

Very timely. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...