Aliases: W32/Doomhunter.worm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: low
Geographical info: Asia US and Europe
Removal: Easy
Platform: W32
Discovered: 12 Feb 2004
Damage: Low

Characteristics: The W32.Doomhunter program runs with the computers infected with W32/Mydoom.a@MM or W32/Mydoom.b@MM.

More details about W32.Doomhunter

The W32.Doomhunter program has an infection length of 5,120 and infects Windows XP, Windows 2000 and other latest Operating System from Windows. This worm deletes the virus W32/Mydoom.a@MM or W32/Mydoom.b@MM. When run, this virus copies itself as %System%\worm.exe and adds a certain value into a certain registry key. It then displays different messages like “Hello I’m the mydoom removal worm to kill me go to “HKEY_CURRENT_USER\Software |Microsoft\Windows|CurrentVersion\Run” and remove the “DELETEME” value and reboot” or “I have no idée if it works but itry it anyway”. These messages are contained in a message box entitled “Mydom removal worm (DDOS the RIAA!!” It kills the processes that the virus W32/Mydoom.a@mm and some other viruses may have created such as SHIMGAPI.DLL , TFMON.DLL, REGEDIT.EXE , TEEKIDS.EXE , MSBLAST.EXE ,EXPLORER.EXE ,TASKMON.EXE ,INTRENAT.EXE. All of these processes were deleted from the System folder infected by the doom.a@mm. It then snoops on the TCP port 3127. Once the connection in the Internet is established, this worm primarily sends 5bytes to a remote computer and then sends duplicate of it to a remote computer.

This program also chooses a random unused system port to open. This port is used to connect to a remote server. It acts as a backdoor to the system. Information that passes through this area is largely unmonitored by security software. The data that passes through the backdoor mostly consists of commands for the Trojan application. These commands are executed in the system without the user’s consent. The backdoor created by thevirus W32/Mydoom.a@mm will then let it through and run it.