McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Zindos.A (Symantec)

Characteristics

This is a detection for a worm that uses the backdoor of W32/Mydoom.o@MM in order to infect a machine.

The worm adds a key to the registry, so it gets executed every time the system starts:

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run   "Tray"  =  "[path+filename].exe"

A few minutes after execution, it queries the default DNS server for the IP of the URL www.microsoft.com and starts a DoS attack by sending GET requests.

Symptoms

• Outgoing network traffic to www.microsoft.com (TCP:80)

Method of Infection

The worm uses the backdoor of W32/Mydoom.o@MM to infect a system.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Zindos.A (Symantec)

Characteristics

Characteristics -

This is a detection for a worm that uses the backdoor of W32/Mydoom.o@MM in order to infect a machine.

The worm adds a key to the registry, so it gets executed every time the system starts:

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run   "Tray"  =  "[path+filename].exe"

A few minutes after execution, it queries the default DNS server for the IP of the URL www.microsoft.com and starts a DoS attack by sending GET requests.

Symptoms

Symptoms -

• Outgoing network traffic to www.microsoft.com (TCP:80)

Method of Infection

Method of Infection -

The worm uses the backdoor of W32/Mydoom.o@MM to infect a system.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A