Home>Tips & Articles>Remove Worms & Virus>
Remove MyDoom.B
About MyDoom.B
MyDoom.B is a vairant of the mass mailing worm virus MyDoom. It is spreaded via email as an attachment with a file extension .bat, .cmd, .exe, .pif, .scr, or .zip. The virus can overwrite certain system files,and email itself to every email address it finds on a victim's machine. It will also set up a backdoor into the system which can potentially allow an attacker access to the system and use it as a proxy to gain access to its network resources.The virus will use the victim's machine to launch a DOS (Denial of Service) attack against www.microsoft.com if the system time is between February 3, 2004 and March 1, 2004.
Remove this worm virus using McAfee Virus Scan 2004!
From: The "From" address may be spoofed.
Subject: The subject will be one of the following:
Returned mail
Delivery Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Message: The message will be one of the following:
sendmail daemon reported:
Error #804 occured during SMTP session. Partial message has been received.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: The attachment file name, not including the extension, will be one of the following:
document
readme
doc
text
file
data
test
message
body
The attached file may have either one or two file extensions. If it does have two, the first extension will be one of the following:
.htm
.txt
.doc
The second extension however has a number of spaces, which may mask the second, dangerous executable extension. It will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of the worm, sharing the same file name as the .zip. For example, readme.zip can contain readme.exe.)
When a user executes the attached executable, the virus creates three files:
%System%\Ctfmon.dll: used for proxy server
%Temp%\Message: a text file contains random letters
%System%\Explorer.exe. Explorer.exe is a legitimate Windows file, but is in the %Windir% folder, not the %System% folder.
Note: %system% is a variable, it is normally C:\windows\system, C:\windows\system32 or C:\winnt\system32, depending on operating system. The %temp% file is the Windows default temporary folder, and is usually located in the main windows folder. The virus also adds keys and values to the Windows registry folder so it runs when the victim's machine is started.
How to Remove MyDoom.B
You can follow below instructions to manually remove MyDoom from your computer.
- Disable System Restore (Windows XP).
- Remove the entries that were added to the Hosts file.
Open the file named HOSTS (there is no extension for this file) with notepad, the host file is in the following folder:
Windows 95/98/Me:
c:\windows\
Windows 2000:
c:\winnt\system32\drivers\etc\
Windows XP:
c:\windows\system32\drivers\etc\
Delete all the entries with the following domain name, or you can simply delete all the lines starting from '0.0.0.0'.
- ad.doubleclick.net
- ad.fastclick.net
- ads.fastclick.net
- ar.atwola.com
- atdmt.com
- avp.ch
- avp.com
- avp.ru
- awaps.net
- banner.fastclick.net
- banners.fastclick.net
- ca.com
- click.atdmt.com
- clicks.atdmt.com
- dispatch.mcafee.com
- download.mcafee.com
- download.microsoft.com
- downloads.microsoft.com
- engine.awaps.net
- fastclick.net
- f-secure.com
- ftp.f-secure.com
- ftp.sophos.com
- go.microsoft.com
- liveupdate.symantec.com
- mast.mcafee.com
- mcafee.com
- media.fastclick.net
- msdn.microsoft.com
- my-etrust.com
- nai.com
- networkassociates.com
- office.microsoft.com
- phx.corporate-ir.net
- secure.nai.com
- securityresponse.symantec.com
- service1.symantec.com
- sophos.com
- spd.atdmt.com
- support.microsoft.com
- symantec.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- vil.nai.com
- viruslist.ru
- windowsupdate.microsoft.com
- www.avp.ch
- www.avp.com
- www.avp.ru
- www.awaps.net
- www.ca.com
- www.fastclick.net
- www.f-secure.com
- www.kaspersky.ru
- www.mcafee.com
- www.microsoft.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.ru
- www3.ca.com
|
Save and close the file.
- Restart the computer to safe mode( Press F8 before Windows starts ).
- Run a full system scan with an updated anti-virus tool.
- Open registry editor (click Start>Run, type Regedit and click OK), locate and expand the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
" Explorer = %System%\explorer.exe "
Note: %System% is a variable that refers to the location of the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- In the left pane of registry editor, find and delete the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionExplorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionExplorer\ComDlg32\Version
- Reregistering the Webcheck.dll file. To do this, click Start> Run, then type, or copy and paste, the following text:
regsvr32 webcheck.dll
Click OK. When you see the message, "DllRegisterServer in webcheck.dll
succeeded," click OK.
Remove other worms & virus:
