I’m at it again! I’ve created another .inf virus removal script, this time for Mydoom/Novarg. Save http://files.invisibill.net/unmydoom.inf somewhere, right click, and choose “Install”. The script may have problems removing files if they’re in use, so I suggest running it once, rebooting (since the startup stuff has been cleaned off, it will be a clean boot now), then run it again to delete any files that may have been in use before.
The script removes/fixes everything listed on Symantec’s page. It removes the startup entries in the Current User and Local Machine sections of the registry. It removes the two other keys listed (it isn’t mentioned what they do). It deletes taskmon.exe and shimgapi.dll from your Windows system directory. Note that there is a valid taskmon.exe file, but it’s in the Windows directory itself. It will also overwrite the registry entry where WebCheck is hijacked. The flags in the script tell it to only write the value if it already exists, and it’s different depending on whether the system is Win9x or WinNT. It replaces the value with (Windir)\SYSTEM\WEBCHECK.DLL on 9x and %SystemRoot%\System32\webcheck.dll on NT. It calculates the value of (Windir) as the script is run and %SystemRoot% is system variable, so there shouldn’t be any problems with that. It also removes files from the KaZaA\My Shared Folder directory under your Program Files directory. Again, the location of Program Files is figured as the script is run (it’s not hardcoded to “C:\Program Files” or anything) so it should work regardless of where you actually have Program Files. However, I don’t know an easy way to access the shared Kazaa directory, so that part is hardcoded. You’ll have to manually delete the files if they’re somewhere else. An updated virus scanner should find these, and they’re really only for spreading the virus, as opposed to being part of the virus running on your PC. Anyway, the script looks for all combinations of the filenames and extensions listed on Symantec’s page, 28 in all.
If you don’t trust me, look at the file yourself. It’s just a plain text file. The default action for .inf files should be to open them in Notepad, so it should be very easy for you to check out. The first sections are just comments and info on the author and the script’s name and stuff. The SourceDisksFiles section just lists all the filenames involved. In a regular installation script, this would tell it which disks contained which files. The ProgFiles and SysFiles sections just break the files down into groups which are installed in the same place. DestinationDirs tells where each of those groups should go. 16422 is your Program Files directory and 11 is your System directory. Mydoom.Reg just lists the registry stuff that the virus creates. DLL.reg and DLL_NT.reg are the correct WebCheck registry entries. As you can probably figure out, DefaultInstall and DefaultInstall.nt tell it to delete the files and registry entries listed above, and add the proper WebCheck stuff. The two versions tell it to use one WebCheck entry for 9x and another for NT. It’s not really an “Install” as we’re mostly removing stuff, but DefaultInstall is what gets run when you right-click the file and choose “Install”.
The virus contains its own SMTP (mail-sending) engine. It doesn’t rely on Outlook or anything like that, it actually sends the messages itself. It is also clever in that it reports the server name as the domain of whatever email address it is spoofing as the sender. For example, if it’s saying the email is from joe@fakeisp.net, it will report to the receiving mail server that its name is fakeisp.net. If you view all the headers of the virus spams you receive, you can find out where they came from. CTRL+U opens the message source in Mozilla-based mail programs, and I believe it’s CTRL+F3 in Outlook Express. Near the beginning you should find a line that starts with Received: from. After that will be an IP address in brackets and the HELO command. The IP address should be the PC sending the mails, and the HELO command should return the domain of the spoofed sender address as I stated above. Note that the virus may spoof your address as a sender. If it gets sent to a bad address, that mail server may return an error message to you saying that your email (which you didn’t actually send) couldn’t be delivered. To find the infected PC in one of these emails, you need to look deeper into the message source. You need to find the original message’s headers where it is quoted in the error message. Some error messages may not even include the original message. In this case, the HELO command will return your domain name, since it was saying that the message came from you. It will be something like Received: from invisibill.net ([111.222.333.444]). That IP address is the infected PC who originally sent the message saying it was from you.
Now that we’ve covered how the virus spreads and how to get rid of, let’s mention what it actually does. It opens your system up, probably for remote control, and is coded to DDoS SCO’s website starting February 1. Yes, those litigious bastards (hehe, see this entry) involved with the Linux IP lawsuit. It was probably written by some zealot, as most of the open source community doesn’t support illegal attacks, even against those they really dislike. It does have a trigger to stop spreading February 12, but the backdoor function will still work after that.
Here is a list of IP addresses that I have personally received virus spam from. I don’t want anyone to attempt to hack these people or DDoS them or anything. I’m providing the IP addresses here so that people can find out if they’re infected and so that people can filter out incoming email from known infected sources.
209.7.198.2 (user-2.museum.state.il.us)
216.237.20.226 (216-237-20-226.orange.nextweb.net)
69.9.12.20 (appears to be a broadband user of dakotacom.net, downstream from broadband01-fe0-0.tus.dakotacom.net)
67.167.18.184 (c-67-167-18-184.client.comcast.net)
68.65.56.34 (va-staff-u1-c4a-a-34.frbgva.adelphia.net)
http://www.invisibill.net/ipcheck.php will show you your IP address. It simply outputs the address that made the request to the webserver. It doesn’t access anything on your PC or require the installation of anything. It’s just a function on the webserver that shows the IP address that requested the page. If your IP address is one of those, your PC is infected. Your PC has been opened up for remote access and you’re sending out a bunch of junk email, slowing the internet down for everyone. Clean up your PC now. http://pctech.invisibill.net/virusinfo.html has links to a whole bunch of AV vendors, including some free and online options.