Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


EXPLORER.EXE PROCESS INFORMATION

Process Name  : Explorer.exe

Process Path : %SYSTEM%\explorer.exe [ please note that Windows explorer.exe will load from %Windows% folder. Not from Windows system folder ]

Malware Name  : W32.Mydoom.B@mm

Alias             : I-Worm/Mydoom.b, W32/Mydoom-B, W32/Mydoom.B@mm, WORM_MYDOOM.B 

Process Type    : Mass mailing Internet worm

Threat level : Medium

Process details :

                     Explorer.exe is the main componet dropped by Mydoom.b worm in Windows system folder. It is a modified variant of mydoom worm, uses  e-mail addresses collected from .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt files to distribute infected messages. Mydoom.b worm arrives as an e-mail attachment. The infected attachment name, subject, and message body is randomly chosen by the worm. 

                     When the infected attachment is executed, it displays the error message "Not enough memory to load this file" and copies itself to Windows system folder as "explorer.exe" in the background. It also drops a backdoor file ctfmon.dll in the system folder.

                     Mydoom.b modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Explorer"= C:\%SYSTEM%\explorer.exe 

[ By default, %SYSTEM% will be C:\Windows\System in case of Windows 95/98/ME, C:\Winnt\System32 in case of Windows NT/2000 and C:\Windows\System32 in case of Windows XP ]

The worm also creates following additional key to run the backdoor program.

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\ctfmon.dll

                      Mydoom.b worm contains backdoor abilities and it allows hackers to connect to the infected system. It also spreads using KaZaA P2P network. Mydoom.b contains payload to perform DoS attack on www.sco.com and www.microsoft.com. It also blocks access to several security sites. Mydoom.b worm is detected on 28th January 2004.

How can I protect my system?

                   Solo has incorporated W32.Mydoom.B@mm infected explorer.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   Solo antivirus can detect and remove W32.Mydoom.B@mm worm safely. If you are already infected with this Worm, you can remove it from your computer using Solo Antivirus software.  Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link