Security

MyDoom.m prevention and cure

A spoofed warning from your e-mail provider may disguise this virus.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Robert Vamosi
CNET News.com

The latest version of the MyDoom virus uses social trickery to get users to infect themselves. MyDoom.m (w32.mydoom.m@mm , also known as MyDoom.l [Norman]), MyDoom.n (Computer Associates), and MyDoom.o (Sophos), is packed with UPX, is approximately 28KB in size, and is a mass-mailing worm that uses its own SMTP engine to send copies of itself to addresses harvested from the infected PC. It also uses various search engines to find additional e-mail addresses associated with an infected PC's e-mail domain and may slow or disable those search engines. MyDoom.m does not affect Linux, Mac, or Unix systems. Because MyDoom.m spreads via e-mail, opens a remote-access back door on infected PCs, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
MyDoom.m constructs random e-mail messages from a string of hard-coded text within the virus code itself. The infected e-mail appears to have been sent by someone you may know. The body text may suggest that your e-mail account has been compromised by a virus or has been used recently to send spam. The body text appears to come from the technical support team of the domain you are using for your own e-mail address: for example, someone@mydomain.com would receive a note signed by the mydomain.com team. The body text further encourages you to open the attached file (usually a ZIP, but it could also be EXE, COM, SCR, PIF, BAT, or CMD) for more information. Do not follow this instruction; it will launch the virus on your PC.

Once executed, MyDoom.m installs itself in the Windows folder as:

C:\WINDOWS\JAVA.EXE
C:\WINDOWS\SERVICES.EXE

MyDoom.m also changes the system registry by adding the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run JavaVM="[Windows folder]\java.exe" Services="[Windows folder]\services.exe"

HKEY_CURRENT_USER\Software\Microsoft\Daemon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

MyDoom.m will open port 2110 to listen for remote access.

Prevention
If you receive MyDoom.m, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates (MyDoom.n), F-Secure, Kaspersky,McAfee, Norman (MyDoom.l), Panda, Sophos (MyDoom.o), Symantec, and Trend Micro.

Editor's Picks

Free Newsletters, In your Inbox