Home>Tips & Articles>Remove Worms & Virus>
Remove MyDoom / Novarg
About MyDoom
Please also read the MyDoom.B Removal Instructions.
Remove MyDoom With Award winning AntiVirus Tool
MyDoom is a variant of the mass mailing Internet worm virus Mimail. It is also known as W32/Novarg.A, W32/Shimg, W32/Mydoom, or W32/Mimail.R. It started spreading on the popular peer-to-peer file-sharing application, Kazaa, and has now moved to email as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The virus will overwrite certain system files, email itself to every email address it finds on a victim's machine, and opens a back door to malicious attack. It affects Windows 9x/Me/2000/2003/XP systems.
The worm will also set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker access to the system and use it as a proxy to gain access to its network resources.
The virus will use the victim's machine to launch a DOS (Denial of Service) attack against www.sco.com if the system time is between February 1, 2004 and February 12, 2004.
The email with MyDoom worms will have the following characteristics:
From: The "From" address may be spoofed.
Subject: The subject will be one of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message: The message will be one of the following:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
test
Attachment: The attachment file name, not including the extension, will be one of the following:
document
readme
doc
text
file
data
test
message
body
The attached file may have either one or two file extensions. If it does have two, the first extension will be one of the following:
.htm
.txt
.doc
The second extension however has a number of spaces, which may mask the second, dangerous executable extension. It will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of the worm, sharing the same file name as the .zip. For example, readme.zip can contain readme.exe.)
When a user executes the attached executable, the virus creates three files, a copy of itself in a file named %system%/shimgapi.dll, %temp%/Message (this is a text file), and %system%/taskmon.exe. The last file, Taskmon.exe is a legitimate Windows file and should not be deleted while cleaning the virus.
Note: %system% is a variable, it is normally C:\windows\system, C:\windows\system32 or C:\winnt\system32, depending on operating system. The %temp% file is the Windows default temporary folder, and is usually located in the main windows folder. The virus also adds keys and values to the Windows registry folder so it runs when the victim's machine is started.
How to Remove MyDoom
You can follow below instructions to manually remove MyDoom from your computer.
- Disable System Restore (Windows XP).
- Restart the computer to safe mode.
- Run a full system scan with an updated anti-virus tool.
- Open registry editor (click Start>Run, type Regedit and click OK), locate and expand the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"Taskmon"="%System%\taskmon.exe"
Note: %System% is a variable that refers to the location of the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- In the left pane of registry editor, find and delete the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionExplorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionExplorer\ComDlg32\Version
Exit the Registry Editor.
- Reregistering the Webcheck.dll file. To do this, click Start> Run, then type, or copy and paste, the following text:
regsvr32 webcheck.dll
Click OK. When you see the message, "DllRegisterServer in webcheck.dll
succeeded," click OK.
You can also remove this worm using removal tool developed by Symantec.
Remove other worms & virus:
