MYDOOM-A WORM

The Mydoom-A Worm spreads via infected email attachments and P2P file sharing. The worm is designed to perform a Denial of Service attack on SCO's website. The worm is 22,528 bytes long. It is designed to stop spreading on the 12th February 2004.

The Subject contains the text:
test, hi, hello, Mail Delivery System, Mail Transaction Failed, Server Report, Status or Error

Body text usually contains the text:
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The message contains Unicode characters and has been sent as a binary attachment
Mail transaction failed. Partial message is available

The Attachment Name contains the text:
document, readme, doc, text, file, data, test, message, body
with extension:
.pif, .scr, .exe, .cmd, .bat, .zip


REMOVAL INSTRUCTIONS:

• Run REGEDIT and delete the values:
  • %system directory%\shimgapi.dll
    in registry key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
  • "TaskMon"="%system_directory%\taskmon.exe"
    in registry key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • "TaskMon"="%system_directory%\taskmon.exe"
    in registry key:
    [HKEY_CURRENT_USER\{User ID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Run Vbuster.Exe and use it to delete all occurances of the worm

Return Home