Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

RE: FN-FORUM: Mydoom virus- how to get rid of it?

date posted 1st February 2004 16:48


> If you read to the bottom of that page you sent, it says just
> what I said:
> "Recovery.
> Identify and terminate the virus process (explorer.exe) using
> the Windows Task Manager, taskkill.exe (Windows XP), tlist.exe and
> kill.exe (Windows NT/2000 Resource Kit), or a third party
> utility. (etc)"
>
> Not being able to delete a virus 'cos it is active is hardly rare.

My point was that James' message makes it look like he's
not infected by the virus, but merely has a copy of it
in his e-mail. The file could be undeleteable if, for
example, his e-mail client is currently running and has
the file open, or the file is held open if he's running
the SMTP component of IIS.

I haven't seen any copies of MyDoom thus far which have any
scripting with them to try to run the virus even if the
message has been viewed in the Outlook (Express) preview
pane. Therefore, if James hasn't double clicked an attachment,
he should not be /infected/ by the virus. The fact that AVG
has spotted the virus in a .eml file (rather than
%windir%\system32\exporer.exe or %windir%\system32\ctfmon.dll
would seem to support that. AVG should also spot the registry
changes that go along with a MyDoom infection, if it's
worth its salt.

Anyway, I was trying to inject a little calm since it sounds
like James' machine isn't infected and he needn't fly into a
panic.

Lastly, Cert's intructions to kill explorer.exe are a trifle
unhelpful: NT, 2k and XP (and I think 95 et. al.) always have
a running explorer.exe process, so it's easy to read that
part of the advisory and fly into a panic if the other signs
of infection mentioned further up in the advisory aren't
heeded (.exe, .dll, registry changes).

Regards,

--Chris

Chris Marshall
Secure Systems Integration Ltd
Web: http://www.secure-si.co.uk/
Tel: +44 (0) 7970 459 553
Fax: +44 (0) 1954 201 741
E-mail: [EMAIL REMOVED]
Pager: [EMAIL REMOVED]
(short message only)

Messages by Day
February 29th 2004
February 28th 2004
February 27th 2004
February 26th 2004
February 25th 2004
February 24th 2004
February 23rd 2004
February 22nd 2004
February 21st 2004
February 20th 2004
February 19th 2004
February 18th 2004
February 17th 2004
February 16th 2004
February 15th 2004
February 14th 2004
February 13th 2004
February 12th 2004
February 11th 2004
February 10th 2004
February 9th 2004
February 8th 2004
February 7th 2004
February 6th 2004
February 5th 2004
February 4th 2004
February 3rd 2004
February 2nd 2004
February 1st 2004


Messages by Month
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000