- Virus type: Family of mass-mailing worm
- Affects: Windows 95 and up
- Other names for Win32.HLLM.MyDoom: W32/Mydoom, I-Worm.Novarg, Worm_Mydoom
Win32.HLLM.MyDoom is a family of mass-mailing Internet worms that spread by email using addresses obtained from the infected computer. The From: address is made up by the virus, and probably does not exist.
The subject and content of the message are selected from a large number of text strings. The worm itself is in an attachment, which has the icon of a harmless file type such as a text file or a Microsoft Word document in an attempt to deceive the user.
If activated, the Win32.HLLM.MyDoom worm copies itself to the hard disk and installs a Registry entry so that it is run automatically at startup. The worm file has a randomly generated name, so it can be positively identified only with the aid of an up-to-date virus checker (although any active process with a gobbledygook filename would be a prime candidate.)
The Win32.HLLM.MyDoom worms also install a DLL file containing malware code in the Windows System folder.
The Win32.HLLM.MyDoom worms are also characterised by the following actions:
- They terminate processes associated with other recent common worm viruses
- They install a backdoor into the system to permit attackers to gain entry
- They initiate a denial of service attack on certain websites between specified dates.
To prevent another infection by Win32.HLLM.MyDoom worms or similar viruses:
- Be suspicious of emails from unknown sources containing executable attachments. See How to detect Internet worms.
- Use a good anti-virus such as Kaspersky AntiVirus or Dr.Web anti-virus.
To remove the Win32.HLLM.MyDoom worm manually:
- Use a virus scanner to determine the identity of the executable file containing the worm (which has a randomly generated filename), then use the Windows Task Manager to terminate it.
- Using the Registry Editor, expand HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, locate the value with a randomly-generated name that contains the path of the worm executable, and delete it.
- Disable System Restore, in order that copies of the worm are not saved to the restore folder. (Note: this may cause Windows to restart and you will lose your earlier restore points.)
- Delete the randomly-named worm executable file from the Windows/System32 folder.
- Update and run your virus scanner to remove any other worm files from the system.
- Re-enable System Restore and force a restore point.
To remove the virus Win32.HLLM.MyDoom please see our tutorial Help! I've got a virus!