Microsoft KB Archive/836528

= Mydoom, Zindos, and Doomjuice Worm Removal Tool =

Article ID: 836528

Article Last Modified on 6/6/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 4
 * Microsoft Windows Millennium Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 98 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



Notice
This tool is no longer available. It has been replaced by the Microsoft Windows Malicious Software Removal Tool. For additional information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:

890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000



SUMMARY
Microsoft has released a tool to help you remove variants of the Mydoom, Zindos, and Doomjuice worms from your computer. Version 4.0 of the Microsoft Mydoom Worm Removal Tool supports removal of the Mydoom variants A, B, E, F, G, J, L, O, Zindos.A, and Doomjuice variants A and B. To download Version 4.0 of the Worm Removal Tool, visit the following Microsoft Web site:

http://www.microsoft.com/security/incident/mydoom.mspx

The Windows Update Web site and Automatic Updates will offer you version 4.0 of the Mydoom Worm Removal Tool if your computer appears to be infected with Mydoom.A, Mydoom.B, Mydoom.E, Mydoom.F, Mydoom.J, Mydoom.L, Mydoom.O, Zindos.A, Doomjuice.A, or Doomjuice.B, or if your computer contains remnants of an infection, such as registry keys that are left behind.

Note The Windows Update Web site and Automatic Updates do not detect whether a computer is infected with the Mydoom.G variant, but the tool that is offered by Windows Update does remove the Mydoom.G variant. If your computer is infected with only the Mydoom.G variant, Windows Update will not offer you the tool. If your computer is infected with multiple variants of Mydoom, Windows Update will offer you the tool. If you do not know whether your computer is infected with the Mydoom.G variant, and Windows Update does not offer you the Mydoom Worm Removal Tool, you can manually download and run the tool from the Microsoft Download Center.

Technical updates
 February 8, 2005: Microsoft replaced this tool with the Microsoft Windows Malicious Software Removal Tool. For additional information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:

890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000

 August 4, 2004: Version 4.0 of the Mydoom Worm Removal Tool released to the Windows Update Web site. July 30, 2004: Version 4.0 of the Mydoom Worm Removal Tool released to the Microsoft Download Center. This version adds support for detecting and removing Mydoom variants E, F, G, J, L, O, and the Zindos.A worm. February 20, 2004: Microsoft released version 3.0 of the Mydoom Worm Removal Tool to the Windows Update Web site. Version 3.0 replaces version 2.0 as a critical update for computers that appear to be infected with MyDoom.A, MyDoom.B, or Doomjuice.A and are running any one of the products that are listed in the&quot;Applies to&quot; section. February 13, 2004: Microsoft released version 2.0 of the Mydoom Worm Removal Tool to the Microsoft Windows Update Web site. Version 2.0 is a critical update for computers that appear to be infected with MyDoom.A, MyDoom.B, or Doomjuice.A and are running any one of the products that are listed in the “Applies to” section. February 11, 2004: Microsoft released version 3.0 of the Mydoom Worm Removal Tool to the Microsoft Download Center. Version 3.0 adds support for detecting and removing the Doomjuice.B worm. If you have already run version 1.0 or version 2.0, we recommend that you run version 3.0 to help make sure that you are not infected with the Doomjuice.B worm. February 9, 2004: Microsoft released version 2.0 of the Mydoom Worm Removal Tool to the Microsoft Download Center. Version 2.0 adds support for detecting and for removing the Doomjuice.A, or Mydoom.C, worm. Additionally, version 2.0 runs on Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, and 32-bit versions of Microsoft Windows Server 2003.</li> February 5, 2004: Microsoft released Version 1.0 of the MyDoom Removal Tool to the Microsoft Download Center. Version 1.0 detects and removes Mydoom.A and Mydoom.B worms and runs in Microsoft Windows XP and in Microsoft Windows 2000.</li></ul>

<div class="symptoms_section">

SYMPTOMS
You may experience any one of the following symptoms after you open a .bat, .cmd, .exe, .pif, or .scr file attachment in an e-mail message, or if you run a bat, .cmd, .exe, .pif, or .scr file that an attached .zip file contains:
 * Your computer performance is decreased or your network connection is slow.
 * Contacts in your address book may report that they received an e-mail message from you that you did not send.
 * You may not be able to access some Web sites. For example, you may not be able to access Microsoft Web sites or the Web sites of some antivirus vendors.

<div class="cause_section">

CAUSE
This behavior may occur if your computer is infected with a Mydoom, Zindos, or Doomjuice worm variant. The variants of Mydoom spread through e-mail messages with attached executable files. If you open the executable file, the worm installs a malicious program on your computer and sends copies of itself to all e-mail addresses found on your computer. The Mydoom.O variant also queries search engines for more e-mail addresses.

Mydoom leaves a program, known as a back door, on infected computers. This back door can potentially allow an attacker to access infected computers. The back door that is created by Mydoom.O also tries to connect to other infected hosts and to create a pseudo peer-to-peer network. The Doomjuice.A, Doomjuice.B, and Zindos.A worms exploit this back door to spread themselves.

The Zindos.A worm performs a distributed denial of service (DDoS) attack against www.microsoft.com. The Mydoom.B worm blocks access to some Web sites, including Microsoft.com and the Web sites of some antivirus vendors. Therefore, you may not be able to access Web sites to obtain security updates and updated antivirus signatures.

For more information about how to determine whether your computer is infected with a Mydoom, Zindos, or Doomjuice variant, visit the following Microsoft Web sites:

Consumers

http://www.microsoft.com/security/incident/mydoom.mspx

Note If your computer is infected with the Mydoom.B variant, you may not be able to access this Web site. However, you may be able to access the same information at the following Microsoft Web site:

http://www.microsoft.com/security/incident/mydoom.mspx

IT Professionals

http://www.microsoft.com/technet/security/alerts/mydoom.mspx

<div class="resolution_section">

RESOLUTION
Microsoft has released a tool to remove Mydoom, Zindos, and Doomjuice worm variants and associated back door components from computers that are running any products that are listed in the &quot;Applies to&quot; section.

Important We also recommend that you use an Internet firewall and a current antivirus program, and that you keep both Windows and your programs up-to-date. Do not open file attachments in e-mail messages unless you can confirm with the sender that the attachment is safe.

For additional information about how to prevent viruses and recover from virus infections, click the following article number to view the article in the Microsoft Knowledge Base:

129972 Computer viruses: description, prevention, and recovery

Note Because Mydoom.B can block access to some Web sites, including Microsoft.com and the Web sites of some antivirus vendors, you may have to download the Mydoom Worm Removal Tool from a computer that is not infected, and then transfer the tool to your infected computer by using a floppy disk or other removable media, such as a recordable CD-RW.

Download and setup information
If your computer is infected with a variant of the Mydoom, Zindos.A, Doomjuice.A, or Doomjuice.B worms, use Automatic Updates to download and install version 4.0 of the Mydoom Worm Removal Tool. Or, visit the following Microsoft Windows Update Web site, and then install the 836528 critical update:

http://windowsupdate.microsoft.com

Release Date: August 4, 2004

For additional information about Automatic Updates, click the following article number to view the article in the Microsoft Knowledge Base:

294871 Description of the Automatic Updates feature in Windows

Release Date: July 30, 2004

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

The Mydoom Worm Removal Tool does not work on computers that run Microsoft Windows NT 4.0.

The Mydoom Worm Removal Tool is only available for English (US) versions of Windows. However, you can run the English (US) tool on any language version of Windows.

The Mydoom Worm Removal Tool does not perform the following actions:
 * Delete any e-mail messages that contain the Mydoom variants.
 * Protect you from future reinfection. Reinfection may occur if you run another infected e-mail attachment.
 * Detect or remove malicious programs, except for Zindos.A and Doomjuice variants A and B, that are on your computer because of the back door components that are created by Mydoom variants.

Many antivirus companies have written tools to remove these worms. Most up-to-date antivirus programs will also remove these worms.

Prerequisites
The Mydoom Worm Removal Tool has the following prerequisites:
 * Your computer must run Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Microsoft Windows 2000, or a 32-bit version of Windows Server 2003 or Windows XP.
 * You must log on as a computer administrator or as a member of the Administrators group.

For more information about how to determine whether a computer is running a 32-bit version of Windows XP or a 64-bit version of Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

827218 How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system

If these prerequisites are not met, the installation will not work, and you will receive an error message. For more information about the error message, view the following log file:

Windows Server 2003, Windows XP, or Windows 2000

%WINDIR%\Debug\Doomcln.log

Windows 98, Windows 98 Second Edition, Windows Millennium Edition

%WINDIR%\Doomcln.log

Usage information
Note Before you continue with the following steps, make sure that you back up all your important data.

When you install the Mydoom Worm Removal Tool version 4.0 and accept the end-user license agreement (EULA), the installation package extracts Doomcln.exe to a temporary folder, and then Doomcln.exe runs. Doomcln.exe checks your computer for the prerequisites that are listed in the &quot;Prerequisites&quot; section. If these prerequisites are met, Doomcln.exe performs the following steps:
 * 1) It checks for evidence of the Mydoom.A (Taskmon.exe), Mydoom.B (Explorer.exe), Mydoom.E (Taskmon.exe), Mydoom.F ( .exe), Mydoom.G  .exe or  .scr), Mydoom.J (Taskmon.exe), Mydoom.L (Taskmon.exe), Mydoom.O (Java.exe, Services.exe), Zindos.A ( .exe), Doomjuice.A (Intrenat.exe), and Doomjuice.B worms in memory. If Doomcln.exe finds an infection, the worm process is ended.

Note Legitimate processes that are named Taskmon.exe, Services.exe, and Explorer.exe exist. These legitimate processes are not removed.
 * 1) It checks for the known Mydoom variants A, B, E, F, G, J, L, and O, Doomjuice variants A and B, and Zindos.A files on the hard disk and in the Run keys in the registry. If Doomcln.exe finds worm files, it deletes the worm files and removes the registry entries.
 * 2) It checks for evidence of the back door components that the Mydoom variants leave. If Doomcln.exe finds these components, it removes them from memory and from the registry, and then deletes them from the hard disk. The worm removes the Webcheck.dll and Stobject.dll entries in the registry, and Doomcln.exe replaces these entries.

Note To remove these components immediately, Doomcln.exe must restart Windows Explorer (Explorer.exe). Therefore, the taskbar disappears and reappears. This action should not affect any running applications.
 * 1) It checks for evidence that the Mydoom.B worm overwrote the Hosts file. If the worm overwrote the file, Doomcln.exe removes this version of the file and replaces it with the default Hosts file. The new Hosts file is marked as read-only.
 * 2) It checks for and removes a marker that the worm puts in the registry to indicate that it has already run.
 * 3) It displays a Windows message box that describes the outcome of the detection or removal. You may receive any one of the following messages:
 * 4) * No infection detected – Mydoom variants A, B, E, F, G, J, L, or O, Doomjuice variants A and B, and Zindos.A were not detected on this computer.
 * 5) * Successfully removed Mydoom.  – The variant of Mydoom worm was removed, and you do not have to do anything else. The   could be A, B, E, F, G, J, L, or O.
 * 6) * Successfully removed Zindos.A – Zindos.A was removed, and you do not have to do anything else.
 * 7) * Successfully removed Doomjuice.A - Doomjuice.A was removed, and you do not have to do anything else.
 * 8) * Successfully removed Doomjuice.B - Doomjuice.B was removed, and you do not have to do anything else.
 * 9) * This tool must be run by an administrator – To run the tool, you must log off and log back on using an account with administrator credentials.
 * 10) * Fatal error, please review log file – Review the log file for errors, and then contact Microsoft Product Support Services (PSS) if you must.
 * 11) * Mydoom.  was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
 * 12) * Mydoom.B was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
 * 13) * Doomjuice.A was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
 * 14) * Doomjuice.B was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
 * 15) * Incorrect Windows version (Win32s) – This tool is not supported in Windows 3.1 with Win32s.

Restart requirement
You do not have to restart your computer after you install this tool.

Removal information
Doomcln.exe is automatically deleted from its temporary location after the Mydoom Worm Removal Tool runs. You can delete the tool’s installer after you install the Mydoom Worm Removal Tool.

The Mydoom Worm Removal Tool creates a log file that is named Doomcln.log in the %WINDIR%\debug folder in Windows Server 2003, Windows XP, and Windows 2000. The log file is created in the %WINDIR% folder in Windows 98, Windows 98 Second Edition, and Windows Millennium Edition.

Note After you install the Mydoom Worm Removal Tool (KB 836528), it does not appear in the Add or Remove Programs list.

Command-line switches
The Mydoom Worm Removal Tool installer supports the following command-line switches:
 * /Q – Use Quiet mode or suppress messages when the files are being extracted.
 * /Q:U - Use User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.
 * /Q:A - Use Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.
 * /T:  – Specify the location of the temporary folder that is used by Setup or the target folder for extracting files, when you use the /c switch.
 * /C – Extract the files without installing them. If /t: path is not specified, you are prompted for a target folder.
 * /C:  – Specify the path and the name of an alternative Setup .inf file or an .exe file to use to install the tool.
 * /R:N - Never restart the computer after installation.
 * /R:I - Prompt the user to restart the computer if a restart is required, except when this switch is used with the /q:a switch.
 * /R:A - Always restart the computer after installation.
 * /R:S - Restart the computer after installation without prompting the user

Doomcln.exe supports the following command line switch:
 * /S – Enables silent mode for the tool. Therefore, this switch suppresses the infection status dialog box that you receive after the tool has run.

<div class="moreinformation_section">

Frequently asked questions
<ul> Q1: Does this tool remove Mydoom?

A1 : Version 4.0 of the Mydoom Worm Removal Tool helps remove the Mydoom variants A, B, E, F, G, J, L, O, Zindos.A, and the Doomjuice variants A and B worms from an infected computer that is running any product that is listed in the &quot;Applies to&quot; section.</li> Q2: Does this tool provide ongoing protection from Mydoom?

A2 : No. The Mydoom Worm Removal Tool does not remain on your computer after it runs. Your computer can be reinfected if you run an infected e-mail attachment. The Mydoom Worm Removal Tool does not remove the Mydoom.A or Mydoom.B worms from infected e-mail messages.</li> Q3: Does this tool remove the back door components of Mydoom?

A3 : Yes. The tool removes the back door components that Mydoom.A and Mydoom.B create.

For more information about back doors, visit the following Microsoft Web site:

http://www.microsoft.com/technet/itsolutions/msit/security/msirsec.mspx

The tool does not detect or remove malicious programs that exist on a computer because of the back door component, except for Zindos.A, and Doomjuice.A and B.</li> Q4: How is the Mydoom.A worm different from the Novarg worm?

A4 : Mydoom.A, MiMail.R, and Novarg.A are the same worms. Sometimes different antivirus vendors use different names for the same viruses and worms.</li> Q5: How does this tool work?

A5 : This tool is provided in an IExpress installation package. When you run the installer, the package extracts the Doomcln.exe file to a temporary folder and runs the Doomcln.exe file. Doomcln.exe version 4.0 removes any copies of the Mydoom.variants A, B, E, F, G, J, L, O, Doomjuice A and B, and Zindos.A worms that exist on your computer. After Doomcln.exe has performed these actions, you receive a status dialog box, and then Doomcln.exe closes. Doomcln.exe is automatically deleted from the temporary folder, and the installer package can be deleted manually. For additional information about the IExpress installation package, visit the following Microsoft Web site:

http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/default.mspx

</li> Q6: May I redistribute the Mydoom Worm Removal Tool?

A6 : No. All customers must download the Mydoom Worm Removal Tool from the Microsoft Web site.</li> Q7: May I redistribute Doomcln.exe?

A7 : No. Microsoft does not support the redistribution of Doomcln.exe.</li> Q8: Is this tool digitally signed by Microsoft?

A8 : Yes. Both the installer package and Doomcln.exe are digitally signed by Microsoft.</li> Q9: Does this tool make any changes to my computer's configuration?

A9 : Yes. If your computer is infected, the tool sets the read-only flag on the Hosts file to help prevent another attack. Also, the tool restores the Webcheck.dll entry in the registry. The Mydoom worm overwrites the Webcheck.dll entry as part of the infection.</li> Q10: Can this tool be removed (uninstalled)?

A10 : Yes. See the &quot;Removal information&quot; section.</li> Q11: Will this tool be made available in other languages?

A11 : Currently, this release is vailable only in English (US).</li> '''Q12: I am running a 64-bit version of Windows XP. Can I install this tool?'''

A12 : No. This tool currently supports only 32-bit operating systems.</li> Q13: Is there a Windows Installer package for this tool?

A13 : No. This tool uses an IExpress package for execution.</li> '''Q14: I ran a Mydoom removal tool from my antivirus vendor or I have an up-to-date antivirus program. Do I have to install this one too?'''

A14 : Generally, no. Removal tools that are provided by antivirus vendors should remove any Mydoom infections. However, installing the Microsoft Mydoom Worm Removal Tool on an uninfected computer should have no negative effects.</li> Q15: Does this tool gather information from my computer and send it to Microsoft?

A15 : No. No information is sent back to Microsoft when you install or run this tool.</li> <li>'''Q16: I ran this tool and later found Explorer.exe or Taskmon.exe running on my system. Why did the tool not remove these files?'''

A16 : Explorer.exe and Taskmon.exe are the file names of legitimate files and the file names that are used by the Mydoom variants. If the tool did not remove those files, it is likely that the files are legitimate and not infected. To make sure, use an up-to-date antivirus program.</li> <li>Q17: If this tool does not remove the Mydoom or Doomjuice worms from my computer, what should I do?

A17 : Run an up-to-date antivirus program on your computer.</li> <li>'''Q18: Does this tool create a log file to let me know if an infection was found or removed? If so, what is the name of the log file? Where is the log file located?'''

A18 : See the &quot;Usage information&quot; section.</li> <li>Q19: How do I know when this tool has finished running on my computer?</li> <li>A19 : After you click OK to confirm the results of the running of the tool, the tool has finished running on your computer. To verify the results, view the Doomcln.log log file. For more information, see the &quot;Usage information&quot; section.</li> <li>'''Q20: I received a fatal error during installation of this tool. What does that mean?'''

A20 : Review the Doomcln.log file. Some common fatal error messages are similar to the following fatal error messages:

Out of memory when trying to allocate or when creating a small internal journal for the log.

Failure of file deletion AND failure to set the attribute to delete the file on next reboot.

Failure to enumerate processes.

For more information about the Doomcln.log file, see the &quot;Usage information&quot; section.</li> <li>Q21: Can I run this tool on a remote computer on my network?

A21 : No.</li> <li>Q22: Is this tool a replacement for an antivirus product?

A22 : No. You should install and use an up-to-date antivirus program.</li> <li>Q23: Will my antivirus program interfere with this tool?

A23 : If your antivirus program is running on an infected computer when Doomcln.exe runs, the antivirus program may detect the Mydoom worm or worms and prevent Doomcln.exe from removing the Mydoom worm. In this case, you can use your antivirus program to remove the Mydoom infection.

Note Doomcln.exe does not contain a virus or a worm and should not, by itself, trigger your antivirus program. However, if a Mydoom, Zindos, or Doomjuice worm infected your computer before an up-to-date antivirus program was installed, and scheduled (or background) virus scanning is disabled, your antivirus program might not detect the worm until the Microsoft Mydoom Worm Removal Tool tries to remove the worm. In any situation other than this situation, the Mydoom Worm Removal Tool should not conflict or interfere with your antivirus program. You do not have to disable or remove your antivirus program when you install this tool.</li> <li>Q24: How does this tool work with the System Restore feature in Windows XP?

A24 : This tool does not create a system restore point.</li> <li>Q25: Can I use the Microsoft Baseline Security Analyzer (MBSA) to identify computers that require this tool?

A25 : No.</li> <li>Q26: What user rights and other prerequisites are required to run this tool?

A26 : See the &quot;Prerequisites&quot; section.</li> <li>Q27: Will this tool be part of Windows XP Service Pack 2?

A27 : No.</li> <li>Q28: How do I extract Doomcln.exe from the installer package?

A28 : Run the installer package with the /T:  switch and with the /C switch to extract Doomcln.exe to the specified   without running or deleting Doomcln.exe. For more information, see the &quot;Command-line switches&quot; section.</li> <li>Q29: Why did my taskbar disappear and reappear when this tool executed?

A29 : This behavior occurs when a computer is infected. The taskbar disappears and reappears because the tool must restart Windows Explorer to completely remove the infection. The effect is expected and should not interfere with any programs.</li> <li>'''Q30: I ran an earlier version of the tool. Do I have to run the updated version now?'''

A30 : Yes. We recommend that you run the newest version of the Mydoom Worm Removal Tool to make sure that you are not infected with the Mydoom variants E, F, G, J, L, or O, or the Zindos.A worm.</li> <li>'''Q31: Windows Update and Automatic Updates does not offer this tool to me. Why?'''

A31 : If your computer does not appear to be infected with Mydoom A, B, E, F, J, L, O, Zindos, or Doomjuice A or B worms, Windows Update and Automatic Updates will not offer you the tool.</li> <li>Q32: What if my computer is infected with multiple MyDoom variants?

A32 : The Mydoom Worm Removal Tool will remove all variants that it finds, but the Windows message box that is displayed at the end of the removal process will list only the last variant that the tool removed.</li></ul>

Mydoom and Doomjuice worm variants
Keywords: kberrmsg kbinfo kbvirus kbprb KB836528

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.