HomeBlogsChristoph C. Cemper's blog
Security

What You Should Know About the Mydoom Worm Variants: Mydoom.A and Mydoom.B

<< Windows XP Reloaded | Longhorn SDK annotations via RSS >>
Sat, 01/31/2004 - 17:09 — Christoph C. Cemper

The following article is duplicated completely from the according Microsoft page What You Should Know About the Mydoom Worm Variants: Mydoom.A and Mydoom.B to avoid it being unavailable when the MyDoom-assmunch virus blocks Microsoft sites with a DDOS.

All rights reserved by Microsoft only.

Quote:
Why We Are Issuing This Alert

The Mydoom.A and Mydoom.B worm variants are currently spreading rapidly through e-mail messages. They attempt to entice e-mail recipients into opening a file attachment, most commonly those with a .zip file name extension. If the attached file is opened, the worm installs malicious code on the computer user's system and sends copies of itself to all contacts in the user's address book. Both versions of the worm leave a file on the infected machine that can potentially allow a malicious individual to access that machine. Mydoom.B also reportedly blocks access to some websites, including Microsoft.com and some antivirus vendors' websites.

We will update this page as soon as more information becomes available.

 How to Tell If a Computer Is Infected with Mydoom.A or Mydoom.B






>

>Screen shot showing how to search for ctfmon.dll on a Windows XP?based hard drive.
>Figure
1. Searching for the ctfmon.dll file on a Windows XP?based
hard drive.

To find out whether your computer is infected, use one of the following procedures.

First, find out which operating system you have.

If you use Windows XP

To find out if a computer is infected, do the following:

  1. Click Start, and then click Search.

  2. In the What do you want to search for? box, click All

    files and folders.

  3. Then, in the All or part of the file name box, type:

    shimgapi.dll

    If that file exists on the computer, the computer is infected with Mydoom.A, and you need to contact your antivirus vendor.

  4. In the All or part of the file name box, type:

    ctfmon.dll

    (see Figure 1). If that file exists on the computer, the computer

    is infected with Mydoom.B, and you need to follow

    the steps below.

 

If you use Windows 2000 or Windows NT 4.0

To check for the worm yourself, do the following:

  1. Click Start, and then click Run.

  2. In the Open box, type:

    cmd

  3. Click OK. The black Command Prompt window will open,

    displaying C:\...> followed by a cursor.

  4. Click the cursor, and then type:

    dir ctfmon.dll /a /s

  5. Press ENTER.

  6. Wait a few moments:

If the results show File Not Found, the computer is not

infected with Mydoom.A or Mydoom.B.

If the results show File Found and the file size is displayed,

the computer is infected with Mydoom.A or Mydoom.B, and you need to follow

the steps below.

 

If you use Windows Millennium Edition, Windows 98, or Windows 95

  1. Click Start, and then click Run.

  2. In the Open box, type:

    command

  3. Click OK. The black Command Prompt window will open,

    displaying C:\...> followed by a cursor.

  4. Click the cursor, and then type:

    dir ctfmon.dll /a /s

  5. Press ENTER.

  6. Wait a few moments:

If the results show File Not Found, the computer is not infected with

Mydoom.A or Mydoom.B.

If the results show File Found and the file size is displayed

(see Figure 2), the computer is infected with Mydoom.A or Mydoom.B, contact your preferred antivirus vendor to get the latest updates and information.

>Screen shot of the Command Prompt window on a computer infected with Mydoom.B.
>Figure 2. Command Prompt window on a computer infected with Mydoom.B.

 Top of

page

 What to Do If Your Computer Is Infected

If your computer is infected, first consult your preferred antivirus vendor to get the latest updates and information. If you are unable to access your antivirus vendor's website, you can regain access by using one of the following procedures.

For Windows XP, Windows 2000, and Windows NT 4.0

  1. Click Start, and then click Run.

  2. In the Open box, type:

    cmd.

  3. Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.

  4. Click the cursor and:

    1. Type:

      del /F systemroot\system32\drivers\etc\hosts

    2. Press ENTER.

    3. Type:

      echo # Temporary HOSTS file >systemroot\system32\drivers\etc\hosts

    4. Press ENTER.

    5. Type:

      attrib +R systemroot\system32\drivers\etc\hosts

    6. Press ENTER.

  5. After typing these commands, do one of the following:

    • If you use Windows NT 4.0, restart your computer.

    • If you use Windows XP or Windows 2000, do not restart your computer. Instead, do the following:

      1. Type:

        ipconfig /flushdns

      2. Press ENTER.

For Windows Millennium Edition, Windows 98, and Windows 95

  1. Click Start, and then click Run.

  2. In the Open box, type:

    command.

  3. Click OK. The black Command Prompt window will open,

    displaying C:\...> followed by a cursor.

  4. Click the cursor and:

    1. Type:

      del c:\windows\hosts

    2. Press ENTER.

 Top of

page

 Visit Antivirus Software Vendors for More Information

If your computer is infected with either Mydoom.A or Mydoom.B and you need technical

assistance, contact your antivirus vendor or Microsoft Product

Support Services for help removing the worm.

  • For Microsoft Product Support Services in the United States and Canada, call toll free (866) PCSAFETY (727-2338).

  • For Microsoft Product Support Services outside the United States and Canada, visit the Product Support Services Web page.

Find additional information and resources from antivirus software vendors participating in the Microsoft Virus Information Alliance:

 Top of page

Potential Distributed Denial of Service Attack Against Microsoft.com

Microsoft is aware that computers infected with the Mydoom.B variant

are set to conduct a distributed denial of service (DDOS) attack against

Microsoft websites. Although Microsoft is unable to discuss the specific

remedies it is taking to prevent the reported DDOS attack, we are doing

everything we can to ensure that Microsoft properties remain fully available

to our customers. Microsoft is aggressively working with our Virus Information

Alliance partners to help protect customers from this outbreak.

If you know someone whose computer is infected with the Mydoom.B variant, that person may not be able to view this Web page. The same information that you see on this page can be found at:

https://information.microsoft.com/security/antivirus/mydoom.asp

Note Visitors to this page may see a Security Information dialog box with this message: This page contains both secure and nonsecure items. Do you want to display the nonsecure items?. On this page, click No.

 Top of page

What the Severity Ratings Mean

Critical. A vulnerability related to a Microsoft product

has been found, or an update is unavailable; two or more vectors of infection

are known; a new vector of infection is possible; the distribution potential

is high; unique data destruction can occur; and a significant disruption

of service has occurred.

Moderate. A potential vulnerability related to a Microsoft product

has been found; two or fewer vectors of infection are known; a new vector

of infection is possible; the distribution potential is medium to high;

unique data destruction has not occurred; and significant disruption of

service has not occurred.

Low. Vulnerabilities related to Microsoft product have not been

found; only one vector of infection is known; new vectors of infection

have not been found; the distribution potential is low; unique data destruction

has not occurred; and significant disruption of service has not occurred.

 Top of page

Average rating
 
 
 
 
 
(0 votes)

Similar entries