tool for removing mydoom virus from microsoft

[QOD]

source http://www.microsoft.com/security/antivirus/mydoom.asp

Quote:

What You Should Know About the Mydoom Worm Variants: Mydoom.A and Mydoom.B
Published: January 27, 2004 | Updated: February 6, 2004 - 6:10 P.M. Pacific Time



Automatically Check For and Remove Mydoom Infection

If you are using Microsoft® Windows® 2000 or Windows XP, you can use our Mydoom (A,B) Worm Removal Tool to easily help detect and remove the Mydoom.A and Mydoom.B worms. To do so, go to the MyDoom (A,B) Worm Removal Tool for Windows XP and Windows 2000 in the Download Center, and then follow the instructions for using the tool.


--------------------------------------------------------------------------------
On This Page
Why We Are Issuing This Alert
How to Help Protect Against E-Mail–Borne Worms
How to Tell If Your Computer Is Infected with Mydoom.A or Mydoom.B
What to Do If Your Computer Is Infected with Mydoom.B
Visit Antivirus Software Vendors for More Information
Potential Distributed Denial of Service Attack Against Microsoft.com
What the Severity Ratings Mean

--------------------------------------------------------------------------------



Why We Are Issuing This Alert
The Mydoom.A and Mydoom.B worm variants are currently spreading rapidly through e-mail messages. They attempt to entice e-mail recipients into opening a file attachment, most commonly those with a .zip file name extension. If the attached file is opened, the worm installs malicious code on the computer user's system and sends copies of itself to all contacts in the user's address book. Both versions of the worm leave a file on the infected machine that can potentially allow a malicious individual to access that machine. Mydoom.B also reportedly blocks access to some websites, including Microsoft.com and some antivirus vendors' websites.

We will update this page as soon as more information becomes available.

Affected Products
Microsoft® Outlook®
Microsoft Outlook Express


Top of page


How to Help Protect Against E-Mail–Borne Worms


If you ever receive a questionable e-mail message that contains an attachment—especially if it has a .zip file name extension—do not open the attachment. If you cannot confirm with the sender that the message is legitimate and that the attachment is safe, delete the message immediately. Also note that Microsoft never distributes unsolicited software through e-mail messages.
To block harmful attachments in e-mail messages, get the latest updates for Outlook and Outlook Express by doing the following:
If you use Outlook 2003: Learn which attachment types are blocked in Outlook 2003.
If you use Outlook 2002: Get the latest Office service packs and learn which attachment types are blocked in Outlook 2002.
If you use Outlook 2000: Get the latest Office service packs.
If you use Outlook Express 6: Learn about virus protection features.
If you use earlier versions of Outlook Express: Download the latest version of Internet Explorer, which includes the latest version of Outlook Express.



Top of page


How to Tell If Your Computer Is Infected with Mydoom.A or Mydoom.B

To find out whether your computer is infected, use one of the following procedures.

First, find out which operating system you use.



If you use Windows XP or Windows 2000

You can use our Mydoom (A,B) Worm Removal Tool to easily help detect and remove the Mydoom.A and Mydoom.B worms automatically.

Automatically Check For and Remove Mydoom Infection

If you prefer, you can follow the steps below to find out if your computer is infected.



If you use Windows XP, Windows 2000, or Windows NT 4.0

To find out if a computer is infected, do the following:


Click Start, and then click Run.
In the Open box, type:
cmd
Click OK. The black Command Prompt window will open, displaying C:\...>.
Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
To check for Mydoom.A, click the cursor, and then type:
dir shimgapi.dll /a /s
Press ENTER.
Wait a few moments:
If File Not Found is displayed, the computer is not infected with Mydoom.A.
If Total Files Listed is displayed (see Figure 1 for details), the computer is infected with Mydoom.A. Contact your antivirus vendor.
To check for Mydoom.B, click the cursor, and then type:
dir ctfmon.dll /a /s
Press ENTER.
Wait a few moments:
If File Not Found is displayed, the computer is not infected with Mydoom.B.
If Total Files Listed is displayed (see Figure 2 for details), the computer is infected with Mydoom.B. Follow the steps below.


If you use Windows Millennium Edition, Windows 98, or Windows 95

To find out if a computer is infected, do the following:


Click Start, and then click Run.
In the Open box, type:
command
Click OK. The black Command Prompt window will open, displaying C:\...>.
Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
To check for Mydoom.A, click the cursor, and then type:
dir shimgapi.dll /a /s
Press ENTER.
Wait a few moments:
If File Not Found is displayed, the computer is not infected with Mydoom.A.
If Total Files Listed is displayed (see Figure 3 for details), the computer is infected with Mydoom.A. Contact your antivirus vendor.
To check for Mydoom.B, click the cursor and then type:
dir ctfmon.dll /a /s
Press ENTER.
Wait a few moments:
If File Not Found is displayed, the computer is not infected with Mydoom.B.
If Total Files Listed is displayed (see Figure 4 for details), the computer is infected with Mydoom.B. Follow the steps below.


Top of page



What to Do If Your Computer Is Infected with Mydoom.B

If your computer is infected, contact your antivirus vendor for the latest updates and information. If you are unable to access your antivirus vendor's website, you can regain access by using one of the following procedures.



If you use Windows XP or Windows 2000

You can use our Mydoom (A,B) Worm Removal Tool to easily help detect and remove the Mydoom.A and Mydoom.B worms automatically.

Automatically Check For and Remove Mydoom Infection

If you prefer, you can follow the steps below to find out if your computer is infected.



If you use Windows XP, Windows 2000, or Windows NT 4.0


Click Start, and then click Run.
In the Open box, type:
cmd.
Click OK. The black Command Prompt window will open, displaying C:\...>.
Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
Click the cursor and:
Type:
del /F %systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type:
echo # Temporary HOSTS file >%systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type:
attrib +R %systemroot%\system32\drivers\etc\hosts
Press ENTER.
After typing these commands, do one of the following:
If you use Windows NT 4.0, restart your computer.
If you use Windows XP or Windows 2000, do not restart your computer. Instead, do the following:
Type:
ipconfig /flushdns
Press ENTER.



If you use Windows Millennium Edition, Windows 98, or Windows 95


Click Start, and then click Run.
In the Open box, type:
command.
Click OK. The black Command Prompt window will open, displaying C:\...>.
Type cd \ and press ENTER. This will change the current directory to C:\ followed by a cursor.
Click the cursor and:
Type:
del c:\windows\hosts
Press ENTER.



Top of page

Visit Antivirus Software Vendors for More Information

If your computer is infected with either Mydoom.A or Mydoom.B and you need technical assistance, contact your antivirus vendor or Microsoft Product Support Services for help removing the worm.

For Microsoft Product Support Services in the United States and Canada, call toll free (866) PCSAFETY (727-2338).
For Microsoft Product Support Services outside the United States and Canada, visit the Product Support Services Web page.

Find additional information and resources from antivirus software vendors participating in the Microsoft Virus Information Alliance:

McAfee
Trend Micro
Symantec
Computer Associates


Top of page

Potential Distributed Denial of Service Attack Against Microsoft.com
Microsoft is aware that computers infected with the Mydoom.B variant are set to conduct a distributed denial of service (DDOS) attack against Microsoft websites. Although Microsoft is unable to discuss the specific remedies it is taking to prevent the reported DDOS attack, we are doing everything we can to ensure that Microsoft properties remain fully available to our customers. Microsoft is aggressively working with our Virus Information Alliance partners to help protect customers from this outbreak.

If you know someone whose computer is infected with the Mydoom.B variant, that person may not be able to view this Web page. The same information that you see on this page can be found at:

https://information.microsoft.com/se...rus/mydoom.asp

Note Visitors to this page may see a Security Information dialog box with this message: This page contains both secure and nonsecure items. Do you want to display the nonsecure items?. On this page, click No.

Top of page
What the Severity Ratings Mean
Critical. A vulnerability related to a Microsoft product has been found, or an update is unavailable; two or more vectors of infection are known; a new vector of infection is possible; the distribution potential is high; unique data destruction can occur; and a significant disruption of service has occurred.

Moderate. A potential vulnerability related to a Microsoft product has been found; two or fewer vectors of infection are known; a new vector of infection is possible; the distribution potential is medium to high; unique data destruction has not occurred; and significant disruption of service has not occurred.

Low. Vulnerabilities related to Microsoft product have not been found; only one vector of infection is known; new vectors of infection have not been found; the distribution potential is low; unique data destruction has not occurred; and significant disruption of service has not occurred.