Digital Divas: March 3, 2004


The information contained in this article is only valid at the time of publication and will not be updated. Please search the Resnet site if you have questions.

A new file deleting worm hit the campus early Tuesday morning; the worm is a new variation of the MyDoom virus. The MyDoom.F worm spreads through mass emails, often with very sophisticated spoofing. The spoofing can make you think that the virus is coming from someone you know, or some address that sounds reasonably close to someone you should know.

Among other things, this worm may randomly delete files from your hard drive, including Microsoft Word and Excel files. The worm comes packaged in a zip file with one of a variety of names attached to a mail message with a forged From: line. (A detailed list is posted on the Symantec site referenced below.) The text of the message may be something unnerving such as, "I know your password" or "We've charged your credit card."

Symantec has released new (2/23) virus definitions to identify and protect against this new worm, so please update now. And continue to be very cautious about opening any file attachments unless you are very sure of what they are.

Your computer will become infected if you open the attachments. Never open attachments from a sender you do not know. If you suspect you have become infected, run the removal tool. Once infected, there is no known way to recover the files that are deleted. Update: some student have been able to recover files using PC Inspector File Recovery 3.0

Systems affected include Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. Linux and Macintosh are not affected.

A tutorial on how to back up your files can be found here:

http://www.barnard.edu/resnet/PCbackup.html

To clean your system of the infection, follow the removal instructions and use the removal tool on Symantec’s website,

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html

The page that has the link to the removal tool is here:

http://securityresponse.symantec.com/ avcenter/venc/data/w32.mydoom@mm.removal.tool.html

And the direct link to the removal tool is here:

http://securityresponse.symantec.com/avcenter/FxMydoom.exe


Instructions for Removing MyDoom.F

  1. If you have Windows XP or ME (you can check by clicking once on the start menu—it should give your version of windows in a vertical bar to the left of the start menu items), disable System Restore: go to Start Menu -> Settings -> Control Panel -> System -> System Restore tab, then check ‘disable system’ restore. Skip this step if you are using any other version of Windows.
  2. If you have internet access, visit this site.
    -Click once on the link at the very bottom of the page, the direct link to the virus removal tool.
    -Hit “save”.
    -Choose the desktop as a location to download it to.
    -Hit “save”.
    -Wait for it to download—check your desktop to see if the icon is there (it looks like a hammer and chisel and says FxMyDoom).

    If you don’t have internet access, go to the Lehman computer center and pick up a MyDoom.f removal tool disk.
  3. Restart the computer in Safe Mode. Here’s how:
    -Tell the computer to restart.
    -As it’s booting up, press F8 key every 2 seconds.
    -You should get the option to start up in safe mode, or it should start automatically and you’ll see “safe mode” written on the sides of your screen.
    -Safe mode looks kind of weird and pixelated.
    -Run removal tool by double-clicking on the desktop icon FxMyDoom.
  4. Restart in normal mode. This happens automatically when you tell windows to restart.
  5. Update your virus definitions:
    - Open Symantec/Norton Antivirus (they’re the same thing). One way you can do this is by clicking on the little gold shield icon in the right hand corner of the computer screen. (If you do not have Norton installed on your machine, you can download it from Columbia’s website at http://www.columbia.edu/acis/software/nav/ )
    -Click on the Live Update button in the window that opens up.
    -Click ‘start’ to run Live Update.
    -Click ‘close’ to close the window when it’s finished.
    -Run a virus scan: go to the scan menu, choose “scan computer,” click once on the box next to “local disk,” then click on “scan”
    -do a windows update. you can do this from the microsoft update website, http://v4.windowsupdate.microsoft.com/en/default.asp