Mydoom Worm

Mydoom is a worm that spreads over e-mail and Kazaa p2p network. When executed, the worm opens up Windows'' Notepad with garbage data in it. In e-mails, it uses variable subjects, bodies and attachment names. It also performs a Distributed Denial-of-Service attack on www.sco.com, starting on the 1st of February. The worm opens up a backdoor to infected computers by planting a new SHIMGAPI.DLL file in the system32 directory and launching it as a child process of EXPLORER.EXE. Mydoom is programmed to stop spreading on February 12th.

Messagelabs recorded infected e-mails from 211 countries, with 22% of them originating in the US.

Although the original Mydoom.A no longer spreads after February 12, failure to remove it will allow infection by subsequent variants of the worm. The high distribution of this worm creates an enormous vulnerability to later infections that could have a higher threat of damage.

What to Do If You Are Having Trouble Accessing Some Sites on the Internet

Mydoom.B has a side effect that prevents access to some web pages of Microsoft and antivirus vendors. You may have to obtain removal tools by using a PC that is not infected. An alternate source of information can be found at the following secure site: https://information.microsoft.com/security/antivirus/mydoom.asp.

Note - If you see a Security Information dialog box with the message "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?", click No .

If you use Windows XP, Windows 2000, Windows 98, Windows Me, or Windows Server 2003

There is a Mydoom and Doomjuice Worm Removal Tool (details in KB836528 at support.microsoft.com/?kbid=836528) available in the Microsoft Download Center ( www.microsoft.com/downloads/details.aspx?FamilyID=c14bfbe4-3d50-464d-a26c-9c287f8a08c5&displaylang=en) to help detect and remove the Mydoom and Doomjuice worms, which will also restore access to the websites blocked by Mydoom.B. This tool detects and removes the Mydoom.A, Mydoom.B, Doomjuice.A (aka "MyDoom.C"), and Doomjuice.B worms from infected systems. Once the tool has run-after the End-User License Agreement (EULA) is accepted-it automatically checks for infection and removes any of the targeted worms that are found. If a machine is infected with the Mydoom.B worm, the tool will also provide the user with the default version of the hosts file and set the "read-only" attribute for that file. This action will allow the user to visit previously-blocked Microsoft and antivirus websites.

Other Removal Tools include:

F-Secure - ftp.f-secure.com/anti-virus/tools/f-mydoom.exe

Symantec - securityresponse.symantec.com/avcenter/FxMydoom.exe

Sophos - www.sophos.com/support/cleaners/mydoogui.com (Windows) or www.sophos.com/support/cleaners/mydoosfx.exe (command line)

McAfee - vil.nai.com/vil/stinger/

Panda - www.pandasoftware.com/download/utilities/

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x