HiWAAY: Information/Internet Services
An FAQ is a Frequently Asked Question. We have listed here the question paired with
the appropriate answer. If you don't find the answer to your question, please visit
our customer support page or email support@HiWAAY.net.
XYZ - The Retired FAQ Archive
Busy Signal Report Form: Report a busy signal.
There are currently 249 FAQs in the database.
Old FAQs - We've kept these older FAQs in the archive just in case someone needs the information. These archived FAQs are no longer maintained and will certainly be out-of-date and contain errors.
Question: How do I protect my computer from the Mydoom.B (W32.mydoom.b@mm)?
The Mydoom.B worm (W32.Mydoom.B@mm) worm is a variation of the widespread Novarg.A or Mydoom.A
worm. HiWAAY Support has received none of this version and so far it does not appear to be as successful as its predecessor. (We continue to receive thousands of emails infected with Novarg.A/Mydoom.A.) Mydoom.B can infect any unprotected computer running Windows 95, 98, ME, NT, 2000, XP or Server 2003. Non-Windows based computers, such as Macintoshes, can't be infected.
Right now the best protection is to run up-to-date antivirus software. Because Mydoom.B is new it's important that you make sure you have the very latest updates for your antivirus software to ensure protection.
Mydoom.B follows the pattern set by Novarg but with some important additions. It arrives in your mailbox as an email with an attachment. The attachment is the worm. The from address will always be spoofed or faked so you will not be able to determine the sender from that address.
Please note: As is always the case, you will likely receive numerous copies of the worm sent from badly configured antivirus scanners installed at companies and other ISPs saying you have sent an email infected with a worm. In almost all cases these automated alerts are sent to the faked email addresses and not to the true sender of the email. In most cases you can delete these messages. If you receive an alert from HiWAAY, please call HiWAAY Support with any questions. We do not use an automated detector to generate alerts but rather manually investigate each incidence to make certain we know the origin of the infected email before we sent out an alert to a customer.
How to recognize a Mydoom.B infected email message (Based upon Information from SARC):
The from address and return path will always be spoofed.
The infected email subject may be blank but will usually have one of these subjects (with or without capital letters):
The message body will contain one of these messages:
- Delivery Error
- Server Report
- Mail Transaction Failed
- Mail Delivery System
The attachment may be 30k or 6.2k and will usually have a file ending of
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- sendmail daemon reported:
- Error #804 occured during SMTP session. Partial message has been received.
- The message contains MIME-encoded graphics and has been sent as a binary attachment.
.pif, .scr, .exe, .zip, .cmd or .bat
Mydoom.B spreads like a normal email worm and will send a copy of itself to all email addresses it finds on any computer it infects. It uses its own built-in mailserver to send its infected email.
Mydoom.B can Spread via KaZaA P2P File Sharing Networks:
Mydoom.B copies itself into the shared KaZaA file sharing directory, if there is one on the infected computer. According to SARC it will use one of these file names:
Mydoom.B Opens Infected Computers to Remote Intrusion:
According to the latest findings from Computer Associates, Mydoom.B installs a backdoor on infected computers which opens a TCP port that allows remote execution of commands and the installation of software on the infected system. It attempts to use port 3127, but if that port is already in use then according to Computer Associates, it will try any "one free from the range 1080- 3128".
Mydoom.B is Network Aware and Scans the Network for Port 3127:
Quoting Computer Associates
: "The worm scans the network for open TCP port 3127. Once found, it sends command and itself through the port for the remote machine to execute. Since Mydoom.A also listens for the same instruction, this seems to be an attempt to update the infection to the new worm variant."
Mydoom.B Uses Infected Computers for Denial of Service (DoS) Attack:
Mydoom.B will use infected computers to attack both www.sco.com and www.microsoft.com. Beginning February 1st, infected computers will start a denial of service attack against www.sco.com. Beginning February 3rd, infected computers will start attacking the Microsoft site. The DoS will take the form of 64 simultaneous and continuous GET requests web servers. This will probably cause congestion problems on networks.
Mydoom.B Blocks Access to Antivirus Web and Update sites:
Mydoom.B will overwrite the local hosts file to block access to a number of domains including those used by popular antivirus software and Microsoft's Windows Update site. Here's a short partial list of domains blocked by Mydoom.B:
For a complete list, check out the detail links listed in the section below.
More detailed information can be found at:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.
- Make certain your anti-virus software is up to date.
- Run a personal firewall like ZoneAlarm
- If you are using Microsoft Internet Explorer/Outlook Express go to Windows Updates then upgrade to latest version.
- Of course, it always bears repeating, don't open attachments!
There are currently no automated removal tools for Mydoom.B. If your computer is infected with Mydoom.B you should follow the instructions provided by your antivirus vendor.
Mydoom.B eTrust EZ Antivirus Removal Instructions
Mydoom.B McAfee Removal Instructions
Mydoom.B Norton Antivirus Removal Instructions
Because worms and viruses can open your computer to unauthorized access, following the above steps may not completely secure an infected computer. Reinstalling the operating system and recovering data from backups may be the only way to make certain a critical system is safe.
Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.
New definitions are released constantly. Please check with your antivirus vendor for the latest files.
HiWAAY does not warrant that any of the tools and patches listed above will protect or repair a system, nor can we offer support on the complex task of manually removing a worm or virus and verifying system integrity.