BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Security

Security management Toolkit

MyDoom: Prevention and cure

Tags:
Email,
Crash Servers,
Mass-mailing,
MyDoom

Robert Vamosi ZDNet.com

Published: 28 Jan 2004 10:05 GMT

MyDoom is a mass-mailing worm that masquerades as a test message. MyDoom (w32.mydoom@mm, also known as Novarg, Shimgapi, Shimg, and MiMail.r) takes advantage of the ZIP file format's ability to pass through email filters. It also uses Kazaa to spread. Within the first few hours, MyDoom spread quickly around the world. It affects only Windows users, not those using Macintosh, Linux, or Unix. Much of the worm's code is itself encrypted, and antivirus firms are still studying it. Because MyDoom spreads via email and could severely slow or shut down email servers with excess traffic, this worm rates a 7/10 on the ZDNet Virus Meter.

How it works
MyDoom arrives as email with the subject line "Mail Delivery System," "Test," or "Mail Transaction Failed". The body text reads: "The message contains Unicode characters and has been sent as a binary attachment." The attached files are one of the following:

document.zip
document.pif
doc.scr
message.pif
readme.exe
file.zip
message.zip
oia.zip
text.zip

When the worm is executed, MyDoom adds the following to the Windows/System subdirectory:

shimgapi.exe
taskmon.exe

If you are running the file-sharing program Kazaa, MyDoom will add a file named activation_crack.scr in this location: C:\Program files\Kazaa\My Shared Folder\.

The worm appears to install programs on infected computers, however, the programs themselves are encrypted. MyDoom is known to open Windows Notepad and display garbage text; it is also thought to be flooding Sco.com with a denial-of-service attack. In addition, the security company iDefense and McAfee are reporting that MyDoom opens port 3127 to listen for commands from a remote attacker.

Prevention
If you receive MyDoom, do not open the attached file. Delete the email.

Removal
Almost all antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec or Trend Micro.

Did you find this article useful?
81 out of 170 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

Company/Topic Alerts

Create a new alert from the list below:

MyDoom
crash servers

mass-mailing
Email

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video

Install Flash Player plugin

Find out more: Microsoft exec outlines...

All videos
Most popular videos
Latest videos

Featured Talkback

In association with Network Liberation Movement

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.