K
KenKnightJack
There is a bad virus out called worm doom (see info here:
http://tinyurl.com/26xtv
some free antivirus solutions are AVG free
http://www.grisoft.com/us/us_dwnl_free.php
download install and update it, its free!
and another free online web based scanner is this:
http://us.mcafee.com/root/mfs/default.asp
-Kenny S
Description:
As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a
yellow alert to control the spread of WORM_MYDOOM.A (previously known as
WORM_MIMAIL.R).
This mass-mailing worm selects from a list of email subjects, message
bodies, and attachment file names for its email messages. It spoofs the
sender name of its messages so that they appear to have been sent by
different users instead of the actual users on infected machines.
It can also propagate through the Kazaa peer-to-peer file-sharing network.
It performs a denial of service (DoS) attack against the software business
site www.sco.com. It attacks the site if the system date is February 1, 2004
or later. It ceases attacking the site and running most of its routines on
February 12, 2004.
It runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The
backdoor component opens port 3127 to 3198 to allow remote users to access
and manipulate infected systems. Note that it allows remote access even
after February 12, 2004.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Please refer to the Technical Details section for more information on this
malware.
doom doom doom
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use TREND
MICRO Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware
program.
Scan your system with TREND MICRO antivirus and NOTE all files detected as
WORM_MYDOOM.A. To do this, TREND MICRO customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
TREND MICRO's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will
need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected
earlier.
Select one of the detected files, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and
then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show
certain processes. You may use a third party process viewer to terminate the
malware process. Otherwise, continue with the next procedure, noting
additional instructions.
Removing the Backdoor DLL File
To be able to remove the DLL file, you need to terminate the EXPLORER.EXE
process first.
Click Start>Run. Type COMMAND and press Enter.
Terminate EXPLORER.EXE.
On Windows NT/2000/XP
Open Windows Task Manager. Press CTRL+SHIFT+ESC and click the Processes tab.
In the list of running programs, select EXPLORER.EXE.
Right-click EXPLORER.EXE and click End Process Tree.
On Windows 9x/ME
Download and install a third-party process viewer like Process Explorer.
Run process viewer.
In the list of running programs, select and terminate the process
EXPLORER.EXE.
Close the process viewer.
Switch to the command prompt. Hold the ALT key then continue pressing TAB
until you arrive at the command prompt window.
Enter the following on the command prompt:
del %System%\shimgapi.dll
Restart the EXPLORER.EXE process by entering EXPLORER.EXE on the command
prompt.
Close command prompt.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TaskMon = %System%\taskmon.exe
(Note: %System% is the Windows system folder, which is usually
C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT
and 2000, and C:\Windows\System32 on Windows XP.)
(Note: Some registry entries may point to a legitimate Windows utility with
the same file name, TASKMON.EXE, and that can be found in the Windows folder
on some systems.)
Removing Other Malware Entries from the Registry
Still in Registry Editor, in the left panel, double click the following:
HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}>
InProcServer32
In the right panel, locate and delete the entry:
(Default) = "%System%\shimgapi.dll"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as
described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Running TREND MICRO Antivirus
Scan your system with TREND MICRO antivirus and delete all files detected as
WORM_MYDOOM.A. To do this, TREND MICRO customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
TREND MICRO's free online virus scanner.
NOTE: For product specific solutions, please refer to Solution 18309 of the
TREND MICRO Knowledge Base.
http://tinyurl.com/26xtv
some free antivirus solutions are AVG free
http://www.grisoft.com/us/us_dwnl_free.php
download install and update it, its free!
and another free online web based scanner is this:
http://us.mcafee.com/root/mfs/default.asp
-Kenny S
Description:
As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a
yellow alert to control the spread of WORM_MYDOOM.A (previously known as
WORM_MIMAIL.R).
This mass-mailing worm selects from a list of email subjects, message
bodies, and attachment file names for its email messages. It spoofs the
sender name of its messages so that they appear to have been sent by
different users instead of the actual users on infected machines.
It can also propagate through the Kazaa peer-to-peer file-sharing network.
It performs a denial of service (DoS) attack against the software business
site www.sco.com. It attacks the site if the system date is February 1, 2004
or later. It ceases attacking the site and running most of its routines on
February 12, 2004.
It runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The
backdoor component opens port 3127 to 3198 to allow remote users to access
and manipulate infected systems. Note that it allows remote access even
after February 12, 2004.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Please refer to the Technical Details section for more information on this
malware.
doom doom doom
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use TREND
MICRO Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware
program.
Scan your system with TREND MICRO antivirus and NOTE all files detected as
WORM_MYDOOM.A. To do this, TREND MICRO customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
TREND MICRO's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will
need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected
earlier.
Select one of the detected files, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and
then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show
certain processes. You may use a third party process viewer to terminate the
malware process. Otherwise, continue with the next procedure, noting
additional instructions.
Removing the Backdoor DLL File
To be able to remove the DLL file, you need to terminate the EXPLORER.EXE
process first.
Click Start>Run. Type COMMAND and press Enter.
Terminate EXPLORER.EXE.
On Windows NT/2000/XP
Open Windows Task Manager. Press CTRL+SHIFT+ESC and click the Processes tab.
In the list of running programs, select EXPLORER.EXE.
Right-click EXPLORER.EXE and click End Process Tree.
On Windows 9x/ME
Download and install a third-party process viewer like Process Explorer.
Run process viewer.
In the list of running programs, select and terminate the process
EXPLORER.EXE.
Close the process viewer.
Switch to the command prompt. Hold the ALT key then continue pressing TAB
until you arrive at the command prompt window.
Enter the following on the command prompt:
del %System%\shimgapi.dll
Restart the EXPLORER.EXE process by entering EXPLORER.EXE on the command
prompt.
Close command prompt.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TaskMon = %System%\taskmon.exe
(Note: %System% is the Windows system folder, which is usually
C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT
and 2000, and C:\Windows\System32 on Windows XP.)
(Note: Some registry entries may point to a legitimate Windows utility with
the same file name, TASKMON.EXE, and that can be found in the Windows folder
on some systems.)
Removing Other Malware Entries from the Registry
Still in Registry Editor, in the left panel, double click the following:
HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}>
InProcServer32
In the right panel, locate and delete the entry:
(Default) = "%System%\shimgapi.dll"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as
described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Running TREND MICRO Antivirus
Scan your system with TREND MICRO antivirus and delete all files detected as
WORM_MYDOOM.A. To do this, TREND MICRO customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
TREND MICRO's free online virus scanner.
NOTE: For product specific solutions, please refer to Solution 18309 of the
TREND MICRO Knowledge Base.
)