Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Mydoom.AL@mm
Detected by Microsoft Defender Antivirus
Aliases: W32/Mydoom.at@MM (McAfee) W32.Mydoom.AL@mm (Symantec)
Summary
Win32/Mydoom.AL@mm is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm spreads by e-mailing itself to computers and also through the ICQ Instant Messenger program. It disables certain security-related software such as the Windows firewall and certain antivirus programs.
To manually recover from infection by Win32/Mydoom.AL@mm, perform the following steps:
-
Disconnect from the Internet.
-
Restart your computer in safe mode.
-
Delete the worm file from your computer.
-
Delete the worm registry entry.
-
Restart your computer.
-
Take steps to prevent re-infection.
Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers, you should disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.
Restart your computer in safe mode
To start your computer in safe mode
-
Remove all floppy disks and CDs from your computer, and then restart your computer.
-
When prompted, press F8. If Windows starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows displays graphical output.
-
From the Windows Advanced Options Menu, select a safe mode option.
Delete the worm file from your computer
To delete the worm file from your computer
-
Click Start, and then click Run.
-
In the Open field, type %windir%
-
Press Enter.
-
Click the Name column to sort files by name.
-
Delete the file services.exe.
Delete the worm registry entry
Win32/Mydoom.AN@mm creates an entry in the Windows registry that attempts to run the worm every time your computer restarts. This entry should be deleted.
To delete the worm registry entry
-
Click Start, and then click Run.
-
In the Open field, type regedit
-
Press Enter.
-
In the left pane of the Registry Editory, navigate to the registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services -
Right-click the subkey: NetBios Ext32
-
Click Delete and click Yes to delete the subkey.
-
Close the Registry Editor.
Restart your computer
To restart your computer
-
On the Start menu, click Shut Down.
-
Select Restart from the drop-down list and click OK.
Take steps to prevent re-infection
Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Proactive Instructions" section for more information.
Follow us
