Zephyr
01-30-2004, 09:37 PM
At 9:00 A.M. Pacific Time on Wednesday, January 28, 2004, Microsoft began investigating reports of a variant of a new worm named "Mydoom" or "Novarg," known as Mydoom.B. This variant reportedly blocks access to some websites, including some Microsoft.com websites. The worm attempts to entice e-mail recipients into opening a message that has a file attachment. If the attached file is opened, the worm installs malicious code on the computer user's system and sends itself to all contacts in the user's address book.
Affected Products:
Microsoft® Outlook®
Microsoft Outlook Express
Web-based e-mail programs
How to Tell If a Computer Is Infected with Mydoom.B
Figure 1. Searching for the ctfmon.dll file on a Windows XP–based hard drive.
The procedure for determining whether your computer is infected varies by operating system. Find out which operating system you have.
If you use Windows XP
To find out if a computer is infected, do the following:
Click Start, and then click Search.
In the What do you want to search for? box, click All files and folders.
In the All or part of the file name box, type ctfmon.dll (see Figure 1).
http://www.microsoft.com/security/images/xp_search4explorer.gif
If that file exists on the computer, the computer is infected with Mydoom.B, and you need to follow the steps below. Otherwise, the computer is not infected with that variant of the virus.
If you use Windows 2000 or Windows NT 4.0
To check for the worm yourself, do the following:
Click Start, and then click Run.
In the Open box, type cmd
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor, type dir ctfmon.dll /a /s and then press ENTER.
Wait a few moments:
If the results show File Not Found, the computer is not infected with Mydoom.B.
If the results show File Found and the file size is displayed, the computer is infected with Mydoom.B, and you need to follow the steps below.
If you use Windows 98 or Windows 95
Click Start, and then click Run.
In the Open box, type command
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor, type dir ctfmon.dll /a /s and then press ENTER.
Wait a few moments:
If the results show File Not Found, the computer is not infected with Mydoom.B.
If the results show File Found and the file size is displayed (see Figure 2), the computer is infected with Mydoom.B, and you need to follow the steps below.
http://www.microsoft.com/security/images/2k_cmdPrompt.gif
What to Do If Your Computer Is Infected
If your computer is infected, first try going to the website of your antivirus-software vendor to get the latest updates and information. If you are unable to access your antivirus-software vendor's site and need to fix the infection yourself, follow these steps:
Click Start, and then click Run.
In the Open box, type cmd.
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor and:
Type del /F %systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type echo # Temporary HOSTS file >%systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type attrib +R %systemroot%\system32\drivers\etc\hosts
Press ENTER.
After typing these commands, do one of the following:
If you use Windows NT 4.0, restart your computer.
If you use Windows XP or Windows 2000, do not restart your computer. Instead, do the following:
Type ipconfig /flushdns
Press ENTER.
If your computer is infected with the worm and you need technical assistance, contact your antivirus vendor or Microsoft Product Support Services for help removing the worm.
For Microsoft Product Support Services in the United States and Canada, call toll free (866) PCSAFETY (727-2338).
For Microsoft Product Support Services outside the United States and Canada, visit the Product Support Services Web page.
For more information click: http://www.microsoft.com/security/antivirus/mydoom.asp
Affected Products:
Microsoft® Outlook®
Microsoft Outlook Express
Web-based e-mail programs
How to Tell If a Computer Is Infected with Mydoom.B
Figure 1. Searching for the ctfmon.dll file on a Windows XP–based hard drive.
The procedure for determining whether your computer is infected varies by operating system. Find out which operating system you have.
If you use Windows XP
To find out if a computer is infected, do the following:
Click Start, and then click Search.
In the What do you want to search for? box, click All files and folders.
In the All or part of the file name box, type ctfmon.dll (see Figure 1).
http://www.microsoft.com/security/images/xp_search4explorer.gif
If that file exists on the computer, the computer is infected with Mydoom.B, and you need to follow the steps below. Otherwise, the computer is not infected with that variant of the virus.
If you use Windows 2000 or Windows NT 4.0
To check for the worm yourself, do the following:
Click Start, and then click Run.
In the Open box, type cmd
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor, type dir ctfmon.dll /a /s and then press ENTER.
Wait a few moments:
If the results show File Not Found, the computer is not infected with Mydoom.B.
If the results show File Found and the file size is displayed, the computer is infected with Mydoom.B, and you need to follow the steps below.
If you use Windows 98 or Windows 95
Click Start, and then click Run.
In the Open box, type command
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor, type dir ctfmon.dll /a /s and then press ENTER.
Wait a few moments:
If the results show File Not Found, the computer is not infected with Mydoom.B.
If the results show File Found and the file size is displayed (see Figure 2), the computer is infected with Mydoom.B, and you need to follow the steps below.
http://www.microsoft.com/security/images/2k_cmdPrompt.gif
What to Do If Your Computer Is Infected
If your computer is infected, first try going to the website of your antivirus-software vendor to get the latest updates and information. If you are unable to access your antivirus-software vendor's site and need to fix the infection yourself, follow these steps:
Click Start, and then click Run.
In the Open box, type cmd.
Click OK. The black Command Prompt window will open, displaying C:\...> followed by a cursor.
Click the cursor and:
Type del /F %systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type echo # Temporary HOSTS file >%systemroot%\system32\drivers\etc\hosts
Press ENTER.
Type attrib +R %systemroot%\system32\drivers\etc\hosts
Press ENTER.
After typing these commands, do one of the following:
If you use Windows NT 4.0, restart your computer.
If you use Windows XP or Windows 2000, do not restart your computer. Instead, do the following:
Type ipconfig /flushdns
Press ENTER.
If your computer is infected with the worm and you need technical assistance, contact your antivirus vendor or Microsoft Product Support Services for help removing the worm.
For Microsoft Product Support Services in the United States and Canada, call toll free (866) PCSAFETY (727-2338).
For Microsoft Product Support Services outside the United States and Canada, visit the Product Support Services Web page.
For more information click: http://www.microsoft.com/security/antivirus/mydoom.asp