*
Microsoft.com Home|Site Map
Microsoft*
Search Microsoft.com for:
Microsoft Security 
 
 
 
 
 
Security & Privacy Home > Antivirus Information

What You Should Know About the Mydoom Worm Variants: Mydoom.A and Mydoom.B

Published: January 27, 2004 | Updated: January 31, 2004 - 6:20 P.M. Pacific Time

Severity

Moderate Severity

Impact of Attack

  • Mass mailing


Related Links



Glossary Terms

Click the term to get the definition from our Security and Privacy Glossary.


On This Page

Why We Are Issuing This Alert
How to Help Protect Against These Worms
How to Tell If a Computer Is Infected with Mydoom.A or Mydoom.B
What to Do If Your Computer Is Infected with Mydoom.B
Visit Antivirus Software Vendors for More Information
Potential Distributed Denial of Service Attack Against Microsoft.com
What the Severity Ratings Mean



Why We Are Issuing This Alert

The Mydoom.A and Mydoom.B worm variants are currently spreading rapidly through e-mail messages. They attempt to entice e-mail recipients into opening a file attachment, most commonly those with a .zip file name extension. If the attached file is opened, the worm installs malicious code on the computer user's system and sends copies of itself to all contacts in the user's address book. Both versions of the worm leave a file on the infected machine that can potentially allow a malicious individual to access that machine. Mydoom.B also reportedly blocks access to some websites, including Microsoft.com and some antivirus vendors' websites.

We will update this page as soon as more information becomes available.

Affected Products
  • Microsoft® Outlook®
  • Microsoft Outlook Express

 Top of page

 How to Help Protect Against These Worms


  1. If you ever receive a questionable e-mail message that contains an attachment—especially if it has a .zip file name extension—do not open the attachment. If you cannot confirm with the sender that the message is legitimate and that the attachment is safe, delete the message immediately. Also note that Microsoft never distributes unsolicited software through e-mail messages.
  2. To block harmful attachments in e-mail messages, get the latest updates for Outlook and Outlook Express by doing the following:


 Top of page

 How to Tell If a Computer Is Infected with Mydoom.A or Mydoom.B


To find out whether your computer is infected, use one of the following procedures.

First, find out which operating system you use.


To find out if a computer is infected, do the following:

  1. Click Start, and then click Run.
  2. In the Open box, type:
    cmd
  3. Click OK. The black Command Prompt window will open, displaying C:\...>.
  4. Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
  5. To check for Mydoom.A, click the cursor, and then type:
    dir shimgapi.dll /a /s
  6. Press ENTER.
  7. Wait a few moments:
    • If the results show File not found, the computer is not infected with Mydoom.A.
    • If the results show Total files listed (see Figure 1, below; note: your Directory of results may vary) and the file size is displayed, the computer is infected with Mydoom.A, and you need to contact your antivirus vendor.
  8. To check for Mydoom.B, click the cursor, and then type:
    dir ctfmon.dll /a /s
  9. Wait a few moments:
    • If the results show File not found, the computer is not infected with Mydoom.B.
    • If the results show Total files listed (see Figure 2, below; note: your Directory of results may vary) and the file size is displayed, the computer is infected with Mydoom.B, and you need to follow the steps below.
Command Prompt window on a Windows Millennium-based computer infected with Mydoom.A
Figure 1   Command Prompt window on a Windows Millennium–based computer infected with Mydoom.A
Command Prompt window on a Windows Millennium-based computer infected with Mydoom.B
Figure 2   Command Prompt window on a Windows Millennium–based computer infected with Mydoom.B

 

To find out if a computer is infected, do the following:

  1. Click Start, and then click Run.
  2. In the Open box, type:
    command
  3. Click OK. The black Command Prompt window will open, displaying C:\...>.
  4. Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
  5. To check for Mydoom.A, click the cursor, and then type:
    dir shimgapi.dll /a /s
  6. Press ENTER.
  7. Wait a few moments:
    • If the results show File not found, the computer is not infected with Mydoom.A.
    • If the results show Total files listed (see Figure 1, at right) and the file size is displayed, the computer is infected with Mydoom.A, and you need to contact your antivirus vendor.
  8. To check for Mydoom.B, click the cursor and then type:
    dir ctfmon.dll /a /s
  9. Wait a few moments:
    • If the results show File not found, the computer is not infected with Mydoom.B.
    • If the results show Total files listed (see Figure 2, at right) and the file size is displayed, the computer is infected with Mydoom.B, and you need to follow the steps below.

 Top of page

 What to Do If Your Computer Is Infected with Mydoom.B


If your computer is infected, first consult your preferred antivirus vendor to get the latest updates and information. If you are unable to access your antivirus vendor's website, you can regain access by using one of the following procedures.

  1. Click Start, and then click Run.
  2. In the Open box, type:
    cmd.
  3. Click OK. The black Command Prompt window will open, displaying C:\...>.
  4. Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
  5. Click the cursor and:
    1. Type:
      del /F %systemroot%\system32\drivers\etc\hosts
    2. Press ENTER.
    3. Type:
      echo # Temporary HOSTS file >%systemroot%\system32\drivers\etc\hosts
    4. Press ENTER.
    5. Type:
      attrib +R %systemroot%\system32\drivers\etc\hosts
    6. Press ENTER.
  6. After typing these commands, do one of the following:
    • If you use Windows NT 4.0, restart your computer.
    • If you use Windows XP or Windows 2000, do not restart your computer. Instead, do the following:
      1. Type:
        ipconfig /flushdns
      2. Press ENTER.

  1. Click Start, and then click Run.
  2. In the Open box, type:
    command.
  3. Click OK. The black Command Prompt window will open, displaying C:\...>.
  4. Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
  5. Click the cursor and:
    1. Type:
      del c:\windows\hosts
    2. Press ENTER.

 Top of page

 Visit Antivirus Software Vendors for More Information


If your computer is infected with either Mydoom.A or Mydoom.B and you need technical assistance, contact your antivirus vendor or Microsoft Product Support Services for help removing the worm.

  • For Microsoft Product Support Services in the United States and Canada, call toll free (866) PCSAFETY (727-2338).
  • For Microsoft Product Support Services outside the United States and Canada, visit the Product Support Services Web page.

Find additional information and resources from antivirus software vendors participating in the Microsoft Virus Information Alliance:


 Top of page

Potential Distributed Denial of Service Attack Against Microsoft.com

Microsoft is aware that computers infected with the Mydoom.B variant are set to conduct a distributed denial of service (DDOS) attack against Microsoft websites. Although Microsoft is unable to discuss the specific remedies it is taking to prevent the reported DDOS attack, we are doing everything we can to ensure that Microsoft properties remain fully available to our customers. Microsoft is aggressively working with our Virus Information Alliance partners to help protect customers from this outbreak.

If you know someone whose computer is infected with the Mydoom.B variant, that person may not be able to view this Web page. The same information that you see on this page can be found at:

https://information.microsoft.com/security/antivirus/mydoom.asp

Note Visitors to this page may see a Security Information dialog box with this message: This page contains both secure and nonsecure items. Do you want to display the nonsecure items?. On this page, click No.

 Top of page

What the Severity Ratings Mean

Critical. A vulnerability related to a Microsoft product has been found, or an update is unavailable; two or more vectors of infection are known; a new vector of infection is possible; the distribution potential is high; unique data destruction can occur; and a significant disruption of service has occurred.

Moderate. A potential vulnerability related to a Microsoft product has been found; two or fewer vectors of infection are known; a new vector of infection is possible; the distribution potential is medium to high; unique data destruction has not occurred; and significant disruption of service has not occurred.

Low. Vulnerabilities related to Microsoft product have not been found; only one vector of infection is known; new vectors of infection have not been found; the distribution potential is low; unique data destruction has not occurred; and significant disruption of service has not occurred.

 Top of page


©2004 Microsoft Corporation. All rights reserved. Terms of Use |Privacy Statement