W32/MyDoom-V

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinSPF = "windrv32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Version = "FrankenShteiN"

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
WinSPF = "windrv32.exe"
HKCU\[code number]\Software\Microsoft\Internet Explorer
FuckedInst = "1"

and delete them if they exist.

Close the registry editor.

Check your administrator passwords and review network security.

W32/MyDoom-V is an email worm for the Windows platform.

W32/MyDoom-V may spoof the sender address on email sent by the worm. The worm will attempt to uninstall itself if it is run on or after 20 September 2004.

W32/MyDoom-V will attempt to avoid sending itself to email addresses belonging to system adminstrators, some software companies and government agencies.

The worm uses a variety of email characteristics such as:

Subject line:
important
Hi!
hi
here
hello

Message text:
Please confirm!
Please answer quickly!
Monthly news report.
For more details see the attachment.
For further details see the attachment.
Can you confirm it?

The attached file may have and EXE, SCR or ZIP extension and a name such as:

details.zip
data.zip
fun.scr
antivirus.exe
patch.exe

W32/MyDoom-V attempts to download and run W32/Surila-A.

Sophos anti-virus products since version 3.85 have been capable of detecting this worm as W32/MyDoom-Gen without requiring an update. W32/MyDoom-V is an email worm for the Windows platform.

W32/MyDoom-V may spoof the sender address on email sent by the worm. The worm attempts to uninstall itself if it is run on or after 20 September 2004.

W32/MyDoom-V will attempt to avoid sending itself to email addresses containing any of the following strings:

gold-certs
feste
submit
help
service
privacy
somebody
contact
site
someone
anyone
nothing
nobody
noreply
noone
webmaster
news
rating
postmaster
samples
info
root
www
upport
abuse
accoun
certific
listserv
bsd
ntivi
admin
icq.com
mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
kernel
google
ibm.com
fsf.
gnu
mit.e
math
berkeley
support
messagelabs
antivi
kasp
linux
unix
spam
@iana
@foo.
.mil
gov.
.gov
icrosoft
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
icrosof
syman
avp.

The worm sends email with the following characteristics:

Subject line may be blank or one of the following:
You win!
thanks!
Thank you!
read it immediately
Re: Your document
Re: Status
Re: Question
Re: Proof of concept
Re: Message
Re: Hi
Re: Hello
Private document
Notice again
News
my
Information
important
Hi!
hi
here
hello

Message text may be blank or one of the following:
screensaverlol!
fun photos
New game
relax
Virus removal tool
You are infected by virus. Run this exe
apply this patch!
apply patch.
game
fun game!
fun!
lol!
See the file.
See attached file for details.
Please read the important document.
Please read the attached file.
Please confirm the document.
I have attached document.
Your requested mail has been attached.
Your archive is attached.
Waiting for a Response. Please read the attachment.
Thanks!
Please see the attached file for details
Please read the document.
Please read the attached file!
Please confirm!
Please answer quickly!
Monthly news report.
For more details see the attachment.
For further details see the attachment.
Can you confirm it?

The message text may also contain one of the following fake anti-virus reports:

+++ Attachment: No Virus found
+++ Norton AntiVirus - www.symantec.de

+++ Attachment: No Virus found
+++ F-Secure AntiVirus - www.f-secure.com

+++ Attachment: No Virus found
+++ Norman AntiVirus - www.norman.com

+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com

+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com

The attached file has one of the following names:

lol.scr
fun.scr
antivirus.exe
patch.exe
new.exe
pic.exe
photo.exe
game.exe
file.exe
message,.zip
letter.zip
information.zip
info.zip
file.zip
details.zip
data.zip
bill.zip
new.zip
report.zip
doc.zip
document.zip

When the attached file is a ZIP file it will contain a copy of the worm using
one of the following names.

Message.html .pif
rep.txt .pif
bill.txt .pif
review.txt .pif
report.txt .pif
mesg.txt .pif
doc.txt .pif
bill.rtf .pif
review.rtf .pif
report.rtf .pif
mesg.rtf .pif
doc.rtf .pif
bill.doc .pif
review.doc .pif
report.doc .pif
mesg.doc .pif
doc.doc .pif
document.doc .pif

The worm obtains email addresses to send itself to from files on the local
hard disk with extensions of WAB, XLS, VBS, UIN, TXT, TBB, STM, SHT, PHP, MSG,
MHT, JSP, HTM, EML, DHT, DBX, CGI, CFG and ASP.

The worm copies itself to windrv32.exe in the Windows system folder and
autostart.exe in the current user's startup folder.

W32/MyDoom-V attempts to download and run W32/Surila-A.

The worm adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinSPF = "windrv32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinSPF = "windrv32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Version = "FrankenShteiN"
HKCU\Software\Microsoft\Internet Explorer
FuckedInst = "1"

Sophos anti-virus products since version 3.85 have been capable of detecting this worm as W32/MyDoom-Gen without requiring an update.