Computer Tips E-zine

January 28th 2004
There's a new virus out there and MyDoom is its name. Also known as w32.mydoom@mm , Novarg, Shimgapi, Shimg, and MiMail.r . It comes as a zipped file (undetected by most virus filters). It also uses Kazaa to spread "the word" and will land in "My Shared Documents" folder.

As is usually the case, it only affects Windows users, not those using Macintosh, Linux, or Unix machines.

You may be getting bombarded with attachments which you weren't expecting from both people you know and people you don't know. I've received at least 50 in the past 2 days.

From Feb 1st - Feb 12th - if you stay infected with this virus and don't have a firewall set up - your computer will be used to attack other computers. You won't even know it's happening (other then slower performance of your machine). Other bad stuff usually comes along with this type of attack.

On a lighter note: The next T&T Newsletter - Portable Music Explained and MP3/iPod players reviewed - is due out by Saturday, 1/31.
What to do Now (The Must Read Section of this Email)
Don't open unexpected attachments - even from people you know - as they might not know they are infected with the virus.

If you get any of these unexpected attachments - resist the temptation - delete the email immediately. If you have a program which puts attachments in a separate folder (like Eudora), go to this folder and delete all attachments.

If you've been infected (if you clicked on one of these attachments and it did nothing), go to Symantec's Removal Page: http://snipurl.com/445q, print instructions, download removal tool and run it twice, once before and once after rebooting computer. After doing this, follow the next step as well.

If you don't think you've been infected, run anti-virus update of your current anti-virus software and run a full scan.

If you are running the file-sharing program Kazaa, MyDoom will add a file named activation_crack.scr in this location: C:\Program files\Kazaa\My Shared Folder\. Delete this immediate and follow suggestions for using removal too.

Note: Even if you have Anti-virus software set to auto-update, it only does this about once very 3-7 days. As we've talked about in past, whenever you hear about new viruses, update your anti-virus software immediately and run a full system scan.

The Details

For more details: click here

How it works
MyDoom arrives as e-mail with the subject line "Mail Delivery System," "Test," or "Mail Transaction Failed.?

The body text reads: "The message contains Unicode characters and has been sent as a binary attachment."

The attached files are one of the following:

- document.zip
- document.pif
- doc.scr
- message.pif
- readme.exe
- file.zip
- message.zip
- oia.zip
- text.zip

If executed, the worm will first pop open a session of notepad containing garbage text.

Then, it will copy itself in the \windows\%system% directory under the filename "taskmon.exe".

So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
TaskMon=C:\Windows\System\taskmon.exe

When the worm is executed, MyDoom adds the following to the Windows/System subdirectory:

shimgapi.exe taskmon.exe

If you are running the file-sharing program Kazaa, MyDoom will add a file named activation_crack.scr in this location: C:\Program files\Kazaa\My Shared Folder\.

The worm appears to install programs on infected computers, however, the programs themselves are encrypted. MyDoom is known to open Windows Notepad and display garbage text; it is also thought to be flooding SCO.com with a denial-of-service attack. In addition, the security company iDefense and McAfee are reporting that MyDoom opens port 3127 to listen for commands from a remote attacker.

For more details: click here
************************
Hope you enjoyed the ride....
Clyde
Clyde Lerner, In The Moment Computing
Phone: 408.732.8500
E-mail comments/feedback to: http://www.itmcomputing.com/contact_computer.php

This newsletter is a service of In The Moment Computing and is Copyright 2005 Clyde Lerner. All worldwide rights reserved. If forwarding, please forward all of e-mail, not any portion therein. To see past issues of This and That Computer Tips newsletter, please visit the web at: http://www.itmcomputing.com/newsletter.php and click on "Archives."

Please note: Unless requested, questions pertaining to this newsletter will be answered in a 3-4 week time frame. If you need a faster response, there will be a small consultation fee of $15 per e-mail response. You will receive a reply within 48 hours.

"Complete Computer Help (Networks, New Computer Installs, Software Training) for Individuals and Small Businesses"
"Designing your Perfect Website, at an Affordable Cost, in a Timely Manner"
Eliminate and Destroy unwanted email: http://spamarrest.com/affl?1337207

Send a greeting card through the Internet so recipient gets card in their postal mailbox: www.sendoutcards.com/7197 - let me walk you through how to send a card - it's easy.

©2004 In The Moment (ITM) Computing. All rights reserved.