Computer Virus Information: MyDoom
by Brad Weaver
January 27, 2004
Story updated 9:50PM Tuesday Jan 27: see end of page for details
A new email virus called MyDoom (also called Novarg) has made its way to campus. Our email filters are now blocking this virus, but many copies have already been delivered. The messages may appear to come from someone you know, and have one of the following subject lines:
mail delivery system
mail transaction failed
[random collection of characters]
The text of the message may appear to be gibberish, or the message may say something like "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
If you receive any of these messages, simply delete them. Do not click on the attached file, as this may infect your computer with the virus.
What Systems are Vulnerable
The MyDoom worm can infect computers running all versions of Microsoft Windows from version 95 on, including Windows 95, 98, Me, NT, 2000, and XP. The worm does not infect Macintosh computers,
What the Worm Does
If you opened the file attached the infected email message, you may have the MyDoom worm on your computer. If your computer is infected, it will send infected email messages to other people, and also install a "trojan horse" program on your computer that could allow hackers to access your computer remotely. It is also designed to spread via the KaZaa file sharing network.
Note that the worm itself does not damage files on your computer, but the trojan horse program could allow access to your system to someone who might do more damage. If your computer is infected with this worm, it is important to remove it as soon as possible.
We have installed a MyDoom check/removal program on the campus network. We strongly encourage everyone to test their system, as running the removal program will not harm your computer. To run the program:
- Close any programs that are currently running (you may want to print these instructions for reference).
- Open My Computer, then open Sys on Scholar (I:).
- Open the viruscheck folder.
- Run (double-click) the program Remove MyDoom.
- Click Accept to accept the terms and conditions.
- Click the green GO button to start the scan. The program will scan your computer for the virus, and could take several minutes or longer to run, depending on the size of your hard drive. You should allow the program to delete any instances of the worm that it finds.
If you need to check your home computer or are not connected to the Scholar server, you can download the removal program from the Sophos web site. Please see the link for the MyDoom Disinfection Utility at the end of this article.
The MyDoom removal program simply removes the worm from your system; it does not prevent reinfection. If you open an attachment in an infected email message, you will reinfect your computer and should run the removal program again.
Avoiding Email Viruses and Worms
You can avoid becoming infected with MyDoom, and most viruses that spread via email, simply by not opening the attached file. Note that almost all modern email worms spoof the "from address" so that they appear to come from someone you know (and presumably trust). If you did not request the sender to email you a file and are not sure what it is, then do not open the attachment until you verify the contents of the attachment with the sender.
For More Information and Assistance
If you have other questions about the MyDoom worm or need help removing the worm from your computer, please contact the Help Desk at x6400, or via email to firstname.lastname@example.org.
Additional Information Added 9:50PM Tuesday Jan 27
Computer Services continues to take steps to reduce the impact of the "MyDoom" internet worm. We have seen a number of computers on campus that are infected with this worm, and encourage everyone to review the steps above to check and, if necessary, disinfect your computer.
While we are blocking transmission of this virus through our mail server, we continue to receive thousands of infected messages from the Internet. This likely will cause some ongoing slowness of the mail server. We have taken the following steps to minimize this problem:
- We have temporarily restricted use of the !everyone, !staff, !student and !faculty email lists. It takes a lot of work for the mail server to deliver these messages, and it is already overloaded handling the incoming virus messages. We will reopen these lists once the performance issues have been reduced.
- We are blocking access to the mail server for all computers that we identify as infected with the worm. If your computer is blocked, you will not be able to use Eudora, Outlook, or similar email programs from your computer. You can continue to use Webmail. If your computer has been blocked, please run the disinfection program (see the web site for details), then contact the Help Desk to have your access reinstated.
- We have temporarily blocked the ability to send or receive .zip file attachments through email. You can still send Word, Excel, and other document files. If you need to send someone a .zip file, please contact the Help Desk for assistance.
For more information see: