We successfully removed the MyDoom worm from a client's computer recently and found that it -- or some process -- had spawned 10,000 executable files on the hard disk, about 10% of the total number of files. It also (apparently) created 2800 empty compressed folders. Both the executables and the folders had randomly generated names. Surprisingly, once we killed the infection, the operating system (Windows XP Home Edition) ran fine. But the client's photos and data files were mostly gone.
Tip: Make sure your virus detection program's definitions are up to date, and that you have a firewall in place. Back up your data files, and back up your entire hard drive, too!
Virus writers often use communications ports so that their products are not just email-dependent. That's how Mydoom works. Technically a program that does this is not a virus, but a worm.
This worm can steal confidential information, launch denial of service attacks against servers, and even gain remote control of the computer or network. There are now several versions of MyDoom in circulation. Here's how Mydoom.A works:
First it spreads by email in a brief message with an attachment, and through peer-to-peer file-sharing programs like KaZaA. Then it triggers a distributed denial of service* attack against the website www.sco.com by launching requests for Web pages every 1,024 milliseconds. Mydoom.A then drops a DLL file** named SHIMGAPI into Windows, creating a backdoor by opening the first available TCP port. This backdoor component downloads and runs an executable file, and acts as a TCP proxy server. That allows a hacker to gain remote access to network resources.
*Denial of service attack: By sending a barrage of data at a network, hackers can overload the servers and cause them to crash. Since the system cannot respond normally, service is curtailed or denied. This is a favorite technique of network saboteurs.
**DLL: Dynamic Link Library. An executable file containing a set of functions that other applications can call during runtime. DLLs generally don't have a graphical user interface; instead, they're usually accessed by applications without user intervention.
