Detecting and Removing Mydoom / Novarg
This worm has been called "the worst e-mail worm incident in virus
history," by F-Secure
, a Finish
network security company. It has been estimated by Message Labs that 1
in 12 e-mail messages carried on the Internet is generated by the
worm. "This is the most aggressive [worm] that we have seen to date,"
said Mark Sunner, chief technology officer for MessageLabs
How to Detect the Worm
Mydoom manipulates any infected computers very effectively. It opens
back doors, hides and installs itself into Kazaa directories and
places itself into your system's registry so that it will
automatically re-install itself into memory if your system is
Things to check:
- The first time you run the worm, it will open notepad.exe and
display garbled data (binary). Any time a program, such as notepad,
is run without you having specifically invoked it, you should be
- The worm will attempt to create the following files in the Windows
System directory: explorer.exe and ctfmon.dll. Use Windows Explorer
to open your Windows System directory, and check to see if there is a
recently modified explorer.exe or ctfmon.dll file.
- Run regedit, and check the key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run". If it contains
Explorer=C:\WINDOWS\system32\explorer.exe, then the machine has been
- If Kazaa is installed on the machine, check in the Kazaa shared
directory for any of the following files:
The files will have one of the following extensions: .exe, .scr, .pif
- Check %WINDIR%\system32\drivers\etc\hosts to see if the following
entry is present: 0.0.0.0 ftp.f-secure.com securityresponse.symantec.com
If you've got one or more of the above symptoms, you're infected.
How to Clean Up After MyDoom
- Edit %WINDIR%\system32\drivers\etc\hosts so that the only line
contained in it is:
127.0.0.1 localhost localhost.localdomain local lo
Note that some businesses may have other legitimate entries in the
hosts file, so be careful. As a rule any line starting with 0.0.0.0
should be removed.
- Once the hosts file is cleaned up you should be able to connect to
your anti-virus vendor's site to download updates to protect against
the MyDoom worm. Do so & scan your entire computer for the worm &
Kazaa if you haven't already done so. Remove everything in your
shared Kazaa folder.
- Remove all files and the Windows registry key modifications
described in the Detection section above.
In the Meantime
Configure e-mail servers and workstations to block file types commonly
used by malicious code to spread to other computers. Block ZIP and
executable extensions on the gateway and groupware level. Also monitor
traffic on the network and block ports associated with Mydoom,
especially inbound TCP ports for the backdoor Trojan component and the
outbound TCP 10080 port data. Administrators may also find value in
monitoring traffic associated with the DDoS component. Carefully
manage all new files, scanning them with updated anti-virus software
using heuristics prior to use.
Also Known As
"test," "hi," "hello," "Mail Delivery System," "Mail Transaction
Failed," "Server Report," "Status," or "Error."
"document," "readme," "doc," "text," "file," "data," "test,"
"message," or "body".
Worm Name File Extensions
.exe, .cmd, .bat, .pif, .scr or .zip