Detecting and Removing Mydoom / Novarg

This worm has been called "the worst e-mail worm incident in virus history," by F-Secure, a Finish network security company. It has been estimated by Message Labs that 1 in 12 e-mail messages carried on the Internet is generated by the worm. "This is the most aggressive [worm] that we have seen to date," said Mark Sunner, chief technology officer for MessageLabs.

How to Detect the Worm

Mydoom manipulates any infected computers very effectively. It opens back doors, hides and installs itself into Kazaa directories and places itself into your system's registry so that it will automatically re-install itself into memory if your system is rebooted.

Things to check:

• The first time you run the worm, it will open notepad.exe and display garbled data (binary). Any time a program, such as notepad, is run without you having specifically invoked it, you should be concerned.
• The worm will attempt to create the following files in the Windows System directory: explorer.exe and ctfmon.dll. Use Windows Explorer to open your Windows System directory, and check to see if there is a recently modified explorer.exe or ctfmon.dll file.
• Run regedit, and check the key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". If it contains Explorer=C:\WINDOWS\system32\explorer.exe, then the machine has been infected.
• If Kazaa is installed on the machine, check in the Kazaa shared directory for any of the following files:
  • attackXP-1.26
  • BlackIce_Firewall_Enterpriseactivation_crack
  • MS04-01_hotfix
  • NessusScan_pro
  • icq2004-final
  • winamp5
  • xsharez_scanner
  • zapSetup_40_148
  The files will have one of the following extensions: .exe, .scr, .pif or .bat
• Check %WINDIR%\system32\drivers\etc\hosts to see if the following entry is present: 0.0.0.0 ftp.f-secure.com securityresponse.symantec.com

If you've got one or more of the above symptoms, you're infected.

How to Clean Up After MyDoom

• Edit %WINDIR%\system32\drivers\etc\hosts so that the only line contained in it is:
  127.0.0.1 localhost localhost.localdomain local lo
  Note that some businesses may have other legitimate entries in the hosts file, so be careful. As a rule any line starting with 0.0.0.0 should be removed.
• Once the hosts file is cleaned up you should be able to connect to your anti-virus vendor's site to download updates to protect against the MyDoom worm. Do so & scan your entire computer for the worm & remove it.
• Remove Kazaa if you haven't already done so. Remove everything in your shared Kazaa folder.
• Remove all files and the Windows registry key modifications described in the Detection section above.

In the Meantime

Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Block ZIP and executable extensions on the gateway and groupware level. Also monitor traffic on the network and block ports associated with Mydoom, especially inbound TCP ports for the backdoor Trojan component and the outbound TCP 10080 port data. Administrators may also find value in monitoring traffic associated with the DDoS component. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.

Additional Information

Also Known As

Mydoom.B Aliases: Mydoom.B Mydoom Novarg

Size

29184

Subject Lines

"test," "hi," "hello," "Mail Delivery System," "Mail Transaction Failed," "Server Report," "Status," or "Error."

Attachment Names

"document," "readme," "doc," "text," "file," "data," "test," "message," or "body".

Worm Name File Extensions

.exe, .cmd, .bat, .pif, .scr or .zip

See Also

• Microsoft's Instructions on Removal