Content

W32/Doomhunter.worm

Type
Virus
SubType
Internet Worm
Discovery Date
02/12/2004
Length
5,120 Bytes
Minimum DAT
4326 (02/18/2004)
Updated DAT
4326 (02/18/2004)
Minimum Engine
5.1.00
Description Added
02/13/2004
Description Modified
02/17/2004 7:39 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This worm is written in MSVC and is designed to propagate to systems infected with W32/Mydoom.a@MM  or W32/Mydoom.b@MM . Once running on such machines, it then attempts to remove these infections from such machines.

Upon execution, W32/Doomhunter.worm copies itself to the %SysDir% directory as WORM.EXE. For example:

  • C:\WINNT\SYSTEM32\WORM.EXE

(Certain message boxes are displayed if the worm is run in a debug mode.)

It then adds to the following Registry key to hook system startup

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "DELETE ME" = "worm.exe"

Certain processes are terminated if running on the machine. The files associated with such processes are then deleted:

  • CTFMON.DLL
  • EXPLORER.EXE
  • TEEKIDS.EXE
  • INTRENAT.EXE
  • TASKMON.EXE
  • MSBLAST.EXE
  • REGEDIT.EXE
  • SHIMGAPI.DLL

The following Registry key (W32/Mydoom related) is also removed:

  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    (Default)

During this 'cleaning' various message boxes are displayed. They all share a common window title:

Mydoom removal worm (DDOS the RIAA!!)

The worm listens on port  3127 (TCP) for any incoming connections (whether or not they are viral related). Upon such a connection the worm attempts to send itself to the connecting IP address (via the W32/Mydoom backdoor).

Symptoms

  • Existence of the files and registry entry listed above
  • Listening on port 3127

Method of Infection

This worm propagates via the backdoor opened by W32/Mydoom. It listens (TCP port 3127) for a connection attempt from a W32/Mydoom infected machine, and then attempts to send itself to that machine via the W32/Mydoom backdoor mechanism.

Once running on an infected machine, the worm attempts to terminate processes and delete files associated with W32/Mydoom and W32/Blaster.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This worm is written in MSVC and is designed to propagate to systems infected with W32/Mydoom.a@MM  or W32/Mydoom.b@MM . Once running on such machines, it then attempts to remove these infections from such machines.

Upon execution, W32/Doomhunter.worm copies itself to the %SysDir% directory as WORM.EXE. For example:

  • C:\WINNT\SYSTEM32\WORM.EXE

(Certain message boxes are displayed if the worm is run in a debug mode.)

It then adds to the following Registry key to hook system startup

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "DELETE ME" = "worm.exe"

Certain processes are terminated if running on the machine. The files associated with such processes are then deleted:

  • CTFMON.DLL
  • EXPLORER.EXE
  • TEEKIDS.EXE
  • INTRENAT.EXE
  • TASKMON.EXE
  • MSBLAST.EXE
  • REGEDIT.EXE
  • SHIMGAPI.DLL

The following Registry key (W32/Mydoom related) is also removed:

  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    (Default)

During this 'cleaning' various message boxes are displayed. They all share a common window title:

Mydoom removal worm (DDOS the RIAA!!)

The worm listens on port  3127 (TCP) for any incoming connections (whether or not they are viral related). Upon such a connection the worm attempts to send itself to the connecting IP address (via the W32/Mydoom backdoor).

Symptoms

Symptoms -

  • Existence of the files and registry entry listed above
  • Listening on port 3127

Method of Infection

Method of Infection -

This worm propagates via the backdoor opened by W32/Mydoom. It listens (TCP port 3127) for a connection attempt from a W32/Mydoom infected machine, and then attempts to send itself to that machine via the W32/Mydoom backdoor mechanism.

Once running on an infected machine, the worm attempts to terminate processes and delete files associated with W32/Mydoom and W32/Blaster.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A