Worm.Win32.Doomer.a, Win32/HLLW.Doomer.A, WORM_DOOMER.A, Worm/Doomer.A Worm, Win32/Doomer.A
Category: Computer Worm
North America, South America, Asia, Europe, Australia, Africa
19 Feb 2004
The W32.Moody.Worm spreads its malicious code to systems that are infected with the malware [email protected]
worm. The Mydoom worm and its variants is one of the most dangerous and widespread worms. This malware uses a wide array of methods to penetrate target systems and subsequently execute its code. It may use social engineering techniques which include infected emails with attachments and infected links. It may likewise rely on locating weakly configured networks that leave the host machine susceptible to remote attacks.
W32.Moody.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Moody.Worm from your computer.
More details about W32.Moody.Worm
This worm allegedly has backdoor capabilities. It can hinder the Windows Firewall from preventing port activity. This action is performed by running a shell command and adding a registry entry. In the event that a port is opened, the worm will connect to a host of URLs which are already predefined in its code and then notify its remote author of the compromised system’s status. It will then wait for the remote author to establish a connection to the affected machine and once a connection is successfully established, the remote author will execute a series of commands. These commands are all launched locally, thereby compromising the machine.
The W32.Moody.Worm will copy itself as an EXE file in the computer system and will add a value to a specific registry key so that it will be run when Windows starts. It will then generate IP addresses and try to connect the randomly generated addresses on the 3127 TCP port which is the same port that the [email protected]
worm’s backdoor component uses. Once a connection has been successfully established, the malware will send 5 bytes to the remote system and then send a duplicate of its code to the remote system as well. The [email protected]
worm’s backdoor component will then accept the worm’s copy and the launch it. This worm’s infection will be best removed with the use of a competent antivirus program. After downloading the antivirus program, open it and then follow the steps for malware removal. Go to the registry editor and then remove all the modifications added by the worm.