Mydoom, Zindos, and Doomjuice Worm Removal Tool
Note The Windows Update Web site and Automatic Updates do not detect whether a computer is infected with the Mydoom.G variant, but the tool that is offered by Windows Update does remove the Mydoom.G variant. If your computer is infected with only the Mydoom.G variant, Windows Update will not offer you the tool. If your computer is infected with multiple variants of Mydoom, Windows Update will offer you the tool. If you do not know whether your computer is infected with the Mydoom.G variant, and Windows Update does not offer you the Mydoom Worm Removal Tool, you can manually download and run the tool from the Microsoft Download Center.
- April 11, 2011: Microsoft replaced this tool with the Microsoft Safety Scanner. For additional information about the Microsoft Safety Scanner, click: visit: www.microsoft.com/security/scanner/
- August 4, 2004: Version 4.0 of the Mydoom Worm Removal Tool released to the Windows Update Web site.
- July 30, 2004: Version 4.0 of the Mydoom Worm Removal Tool released to the Microsoft Download Center. This version adds support for detecting and removing Mydoom variants E, F, G, J, L, O, and the Zindos.A worm.
- February 20, 2004: Microsoft released version 3.0 of the Mydoom Worm Removal Tool to the Windows Update Web site. Version 3.0 replaces version 2.0 as a critical update for computers that appear to be infected with MyDoom.A, MyDoom.B, or Doomjuice.A and are running any one of the products that are listed in the"Applies to" section.
- February 13, 2004: Microsoft released version 2.0 of the Mydoom Worm Removal Tool to the Microsoft Windows Update Web site. Version 2.0 is a critical update for computers that appear to be infected with MyDoom.A, MyDoom.B, or Doomjuice.A and are running any one of the products that are listed in the “Applies to” section.
- February 11, 2004: Microsoft released version 3.0 of the Mydoom Worm Removal Tool to the Microsoft Download Center. Version 3.0 adds support for detecting and removing the Doomjuice.B worm. If you have already run version 1.0 or version 2.0, we recommend that you run version 3.0 to help make sure that you are not infected with the Doomjuice.B worm.
- February 9, 2004: Microsoft released version 2.0 of the Mydoom Worm Removal Tool to the Microsoft Download Center. Version 2.0 adds support for detecting and for removing the Doomjuice.A, or Mydoom.C, worm. Additionally, version 2.0 runs on Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, and 32-bit versions of Microsoft Windows Server 2003.
- February 5, 2004: Microsoft released Version 1.0 of the MyDoom Removal Tool to the Microsoft Download Center. Version 1.0 detects and removes Mydoom.A and Mydoom.B worms and runs in Microsoft Windows XP and in Microsoft Windows 2000.
- Your computer performance is decreased or your network connection is slow.
- Contacts in your address book may report that they received an e-mail message from you that you did not send.
- You may not be able to access some Web sites. For example, you may not be able to access Microsoft Web sites or the Web sites of some antivirus vendors.
Mydoom leaves a program, known as a back door, on infected computers. This back door can potentially allow an attacker to access infected computers. The back door that is created by Mydoom.O also tries to connect to other infected hosts and to create a pseudo peer-to-peer network. The Doomjuice.A, Doomjuice.B, and Zindos.A worms exploit this back door to spread themselves.
The Zindos.A worm performs a distributed denial of service (DDoS) attack against www.microsoft.com. The Mydoom.B worm blocks access to some Web sites, including Microsoft.com and the Web sites of some antivirus vendors. Therefore, you may not be able to access Web sites to obtain security updates and updated antivirus signatures.
For more information about how to determine whether your computer is infected with a Mydoom, Zindos, or Doomjuice variant, visit the following Microsoft Web sites:
ImportantWe also recommend that you use an Internet firewall and a current antivirus program, and that you keep both Windows and your programs up-to-date. Do not open file attachments in e-mail messages unless you can confirm with the sender that the attachment is safe.
For additional information about how to prevent viruses and recover from virus infections, click the following article number to view the article in the Microsoft Knowledge Base:
Download and setup informationIf your computer is infected with a variant of the Mydoom, Zindos.A, Doomjuice.A, or Doomjuice.B worms, use Automatic Updates to download and install version 4.0 of the Mydoom Worm Removal Tool. Or, visit the following Microsoft Windows Update Web site, and then install the 836528 critical update:
Release Date: August 4, 2004
For additional information about Automatic Updates, click the following article number to view the article in the Microsoft Knowledge Base:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
The Mydoom Worm Removal Tool does not work on computers that run Microsoft Windows NT 4.0.
The Mydoom Worm Removal Tool is only available for English (US) versions of Windows. However, you can run the English (US) tool on any language version of Windows.
The Mydoom Worm Removal Tool does not perform the following actions:
- Delete any e-mail messages that contain the Mydoom variants.
- Protect you from future reinfection. Reinfection may occur if you run another infected e-mail attachment.
- Detect or remove malicious programs, except for Zindos.A and Doomjuice variants A and B, that are on your computer because of the back door components that are created by Mydoom variants.
PrerequisitesThe Mydoom Worm Removal Tool has the following prerequisites:
- Your computer must run Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Microsoft Windows 2000, or a 32-bit version of Windows Server 2003 or Windows XP.
- You must log on as a computer administrator or as a member of the Administrators group.
Windows 98, Windows 98 Second Edition, Windows Millennium Edition
Usage informationNoteBefore you continue with the following steps, make sure that you back up all your important data.
When you install the Mydoom Worm Removal Tool version 4.0 and accept the end-user license agreement (EULA), the installation package extracts Doomcln.exe to a temporary folder, and then Doomcln.exe runs. Doomcln.exe checks your computer for the prerequisites that are listed in the "Prerequisites" section. If these prerequisites are met, Doomcln.exe performs the following steps:
- It checks for evidence of the Mydoom.A (Taskmon.exe), Mydoom.B (Explorer.exe), Mydoom.E (Taskmon.exe), Mydoom.F (random_file.exe), Mydoom.G (random_file.exe orrandom_file.scr), Mydoom.J (Taskmon.exe), Mydoom.L (Taskmon.exe), Mydoom.O (Java.exe, Services.exe), Zindos.A (random_file.exe), Doomjuice.A (Intrenat.exe), and Doomjuice.B worms in memory. If Doomcln.exe finds an infection, the worm process is ended.
NoteLegitimate processes that are named Taskmon.exe, Services.exe, and Explorer.exe exist. These legitimate processes are not removed.
- It checks for the known Mydoom variants A, B, E, F, G, J, L, and O, Doomjuice variants A and B, and Zindos.A files on the hard disk and in the Runkeys in the registry. If Doomcln.exe finds worm files, it deletes the worm files and removes the registry entries.
- It checks for evidence of the back door components that the Mydoom variants leave. If Doomcln.exe finds these components, it removes them from memory and from the registry, and then deletes them from the hard disk. The worm removes the Webcheck.dll and Stobject.dll entries in the registry, and Doomcln.exe replaces these entries.
NoteTo remove these components immediately, Doomcln.exe must restart Windows Explorer (Explorer.exe). Therefore, the taskbar disappears and reappears. This action should not affect any running applications.
- It checks for evidence that the Mydoom.B worm overwrote the Hosts file. If the worm overwrote the file, Doomcln.exe removes this version of the file and replaces it with the default Hosts file. The new Hosts file is marked as read-only.
- It checks for and removes a marker that the worm puts in the registry to indicate that it has already run.
- It displays a Windows message box that describes the outcome of the detection or removal. You may receive any one of the following messages:
- No infection detected– Mydoom variants A, B, E, F, G, J, L, or O, Doomjuice variants A and B, and Zindos.A were not detected on this computer.
- Successfully removed Mydoom. variant-letter– The variant of Mydoom worm was removed, and you do not have to do anything else. The variant-lettercould be A, B, E, F, G, J, L, or O.
- Successfully removed Zindos.A– Zindos.A was removed, and you do not have to do anything else.
- Successfully removed Doomjuice.A- Doomjuice.A was removed, and you do not have to do anything else.
- Successfully removed Doomjuice.B- Doomjuice.B was removed, and you do not have to do anything else.
- This tool must be run by an administrator– To run the tool, you must log off and log back on using an account with administrator credentials.
- Fatal error, please review log file– Review the log file for errors, and then contact Microsoft Product Support Services (PSS) if you must.
- Mydoom. variant-letterwas detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
- Mydoom.B was detected, but could not be removed– Try to reexecute the tool, and check the log file for errors.
- Doomjuice.A was detected, but could not be removed– Try to reexecute the tool, and check the log file for errors.
- Doomjuice.B was detected, but could not be removed– Try to reexecute the tool, and check the log file for errors.
- Incorrect Windows version (Win32s)– This tool is not supported in Windows 3.1 with Win32s.
Restart requirementYou do not have to restart your computer after you install this tool.
Removal informationDoomcln.exe is automatically deleted from its temporary location after the Mydoom Worm Removal Tool runs. You can delete the tool’s installer after you install the Mydoom Worm Removal Tool.
The Mydoom Worm Removal Tool creates a log file that is named Doomcln.log in the %WINDIR%\debug folder in Windows Server 2003, Windows XP, and Windows 2000. The log file is created in the %WINDIR% folder in Windows 98, Windows 98 Second Edition, and Windows Millennium Edition.
NoteAfter you install the Mydoom Worm Removal Tool (KB 836528), it does not appear in the Add or Remove Programslist.
Command-line switchesThe Mydoom Worm Removal Tool installer supports the following command-line switches:
- /Q– Use Quiet mode or suppress messages when the files are being extracted.
- /Q:U- Use User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.
- /Q:A- Use Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.
- /T: path– Specify the location of the temporary folder that is used by Setup or the target folder for extracting files, when you use the /c switch.
- /C– Extract the files without installing them. If /t: path is not specified, you are prompted for a target folder.
- /C: cmd– Specify the path and the name of an alternative Setup .inf file or an .exe file to use to install the tool.
- /R:N- Never restart the computer after installation.
- /R:I- Prompt the user to restart the computer if a restart is required, except when this switch is used with the /q:a switch.
- /R:A- Always restart the computer after installation.
- /R:S- Restart the computer after installation without prompting the user
- /S– Enables silent mode for the tool. Therefore, this switch suppresses the infection status dialog box that you receive after the tool has run.
Frequently asked questions
- Q1: Does this tool remove Mydoom?
A1: Version 4.0 of the Mydoom Worm Removal Tool helps remove the Mydoom variants A, B, E, F, G, J, L, O, Zindos.A, and the Doomjuice variants A and B worms from an infected computer that is running any product that is listed in the "Applies to" section.
- Q2: Does this tool provide ongoing protection from Mydoom?
A2: No. The Mydoom Worm Removal Tool does not remain on your computer after it runs. Your computer can be reinfected if you run an infected e-mail attachment. The Mydoom Worm Removal Tool does not remove the Mydoom.A or Mydoom.B worms from infected e-mail messages.
- Q3: Does this tool remove the back door components of Mydoom?
A3: Yes. The tool removes the back door components that Mydoom.A and Mydoom.B create.
For more information about back doors, visit the following Microsoft Web site:
- Q4: How is the Mydoom.A worm different from the Novarg worm?
A4: Mydoom.A, MiMail.R, and Novarg.A are the same worms. Sometimes different antivirus vendors use different names for the same viruses and worms.
- Q5: How does this tool work?
A5: This tool is provided in an IExpress installation package. When you run the installer, the package extracts the Doomcln.exe file to a temporary folder and runs the Doomcln.exe file. Doomcln.exe version 4.0 removes any copies of the Mydoom.variants A, B, E, F, G, J, L, O, Doomjuice A and B, and Zindos.A worms that exist on your computer. After Doomcln.exe has performed these actions, you receive a status dialog box, and then Doomcln.exe closes. Doomcln.exe is automatically deleted from the temporary folder, and the installer package can be deleted manually. For additional information about the IExpress installation package, visit the following Microsoft Web site:
- Q6: May I redistribute the Mydoom Worm Removal Tool?
A6: No. All customers must download the Mydoom Worm Removal Tool from the Microsoft Web site.
- Q7: May I redistribute Doomcln.exe?
A7: No. Microsoft does not support the redistribution of Doomcln.exe.
- Q8: Is this tool digitally signed by Microsoft?
A8: Yes. Both the installer package and Doomcln.exe are digitally signed by Microsoft.
- Q9: Does this tool make any changes to my computer's configuration?
A9: Yes. If your computer is infected, the tool sets the read-only flag on the Hosts file to help prevent another attack. Also, the tool restores the Webcheck.dll entry in the registry. The Mydoom worm overwrites the Webcheck.dll entry as part of the infection.
- Q10: Can this tool be removed (uninstalled)?
A10: Yes. See the "Removal information" section.
- Q11: Will this tool be made available in other languages?
A11: Currently, this release is vailable only in English (US).
- Q12: I am running a 64-bit version of Windows XP. Can I install this tool?
A12: No. This tool currently supports only 32-bit operating systems.
- Q13: Is there a Windows Installer package for this tool?
A13: No. This tool uses an IExpress package for execution.
- Q14: I ran a Mydoom removal tool from my antivirus vendor or I have an up-to-date antivirus program. Do I have to install this one too?
A14: Generally, no. Removal tools that are provided by antivirus vendors should remove any Mydoom infections. However, installing the Microsoft Mydoom Worm Removal Tool on an uninfected computer should have no negative effects.
- Q15: Does this tool gather information from my computer and send it to Microsoft?
A15: No. No information is sent back to Microsoft when you install or run this tool.
- Q16: I ran this tool and later found Explorer.exe or Taskmon.exe running on my system. Why did the tool not remove these files?
A16: Explorer.exe and Taskmon.exe are the file names of legitimate files and the file names that are used by the Mydoom variants. If the tool did not remove those files, it is likely that the files are legitimate and not infected. To make sure, use an up-to-date antivirus program.
- Q17: If this tool does not remove the Mydoom or Doomjuice worms from my computer, what should I do?
A17: Run an up-to-date antivirus program on your computer.
- Q18: Does this tool create a log file to let me know if an infection was found or removed? If so, what is the name of the log file? Where is the log file located?
A18: See the "Usage information" section.
- Q19: How do I know when this tool has finished running on my computer?
- A19: After you click OKto confirm the results of the running of the tool, the tool has finished running on your computer. To verify the results, view the Doomcln.log log file. For more information, see the "Usage information" section.
- Q20: I received a fatal error during installation of this tool. What does that mean?
A20: Review the Doomcln.log file. Some common fatal error messages are similar to the following fatal error messages:Out of memory when trying to allocate or when creating a small internal journal for the log.Failure of file deletion AND failure to set the attribute to delete the file on next reboot.Failure to enumerate processes.For more information about the Doomcln.log file, see the "Usage information" section.
- Q21: Can I run this tool on a remote computer on my network?
- Q22: Is this tool a replacement for an antivirus product?
A22: No. You should install and use an up-to-date antivirus program.
- Q23: Will my antivirus program interfere with this tool?
A23: If your antivirus program is running on an infected computer when Doomcln.exe runs, the antivirus program may detect the Mydoom worm or worms and prevent Doomcln.exe from removing the Mydoom worm. In this case, you can use your antivirus program to remove the Mydoom infection.
NoteDoomcln.exe does not contain a virus or a worm and should not, by itself, trigger your antivirus program. However, if a Mydoom, Zindos, or Doomjuice worm infected your computer before an up-to-date antivirus program was installed, and scheduled (or background) virus scanning is disabled, your antivirus program might not detect the worm until the Microsoft Mydoom Worm Removal Tool tries to remove the worm. In any situation other than this situation, the Mydoom Worm Removal Tool should not conflict or interfere with your antivirus program. You do not have to disable or remove your antivirus program when you install this tool.
- Q24: How does this tool work with the System Restore feature in Windows XP?
A24: This tool does not create a system restore point.
- Q25: Can I use the Microsoft Baseline Security Analyzer (MBSA) to identify computers that require this tool?
- Q26: What user rights and other prerequisites are required to run this tool?
A26: See the "Prerequisites" section.
- Q27: Will this tool be part of Windows XP Service Pack 2?
- Q28: How do I extract Doomcln.exe from the installer package?
A28: Run the installer package with the /T: pathswitch and with the /Cswitch to extract Doomcln.exe to the specified pathwithout running or deleting Doomcln.exe. For more information, see the "Command-line switches" section.
- Q29: Why did my taskbar disappear and reappear when this tool executed?
A29: This behavior occurs when a computer is infected. The taskbar disappears and reappears because the tool must restart Windows Explorer to completely remove the infection. The effect is expected and should not interfere with any programs.
- Q30: I ran an earlier version of the tool. Do I have to run the updated version now?
A30: Yes. We recommend that you run the newest version of the Mydoom Worm Removal Tool to make sure that you are not infected with the Mydoom variants E, F, G, J, L, or O, or the Zindos.A worm.
- Q31: Windows Update and Automatic Updates does not offer this tool to me. Why?
A31: If your computer does not appear to be infected with Mydoom A, B, E, F, J, L, O, Zindos, or Doomjuice A or B worms, Windows Update and Automatic Updates will not offer you the tool.
- Q32: What if my computer is infected with multiple MyDoom variants?
A32: The Mydoom Worm Removal Tool will remove all variants that it finds, but the Windows message box that is displayed at the end of the removal process will list only the last variant that the tool removed.
Mydoom Worm Removal Tool
|Tool Version||Doomcln.exe Version||Worms Removed||Operating Systems Supported||Installer File Name||Distribution Locations (Date)|
|1.0||22.214.171.124||Mydoom.A, Mydoom.B||Windows XP, Windows 2000||DoomCln-KB836528-ENU.exe||Microsoft Download Center (February 5, 2004)|
|2.0||126.96.36.199||Mydoom.A, Mydoom.B, Doomjuice.A||Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 Windows XP, Windows Server 2003||DoomCln-KB836528-v2-ENU.exe||Microsoft Download Center (February 9, 2004), Windows Update (February 13, 2004)|
|3.0||188.8.131.52||Mydoom.A, Mydoom.B, Doomjuice.A, Doomjuice.B||Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 Windows XP, Windows Server 2003||DoomCln-KB836528-v3-ENU.exe||Microsoft Download Center (February 11, 2004)|
|4.0||184.108.40.206||Mydoom.A, Mydoom.B, Mydoom.E, Mydoom.F, Mydoom.G, Mydoom.J, Mydoom.L, Mydoom.O, Zindos.A, Doomjuice.A, Doomjuice.B,||Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000, Windows XP, Windows Server 2003||DoomCln-KB836528-v4-ENU.exe||Microsoft Download Center (July 30, 2004)|
Windows Update (August 4, 2004)
Mydoom and Doomjuice worm variants
|Worm (Date Discovered)||Alias||Versions of tool that remove this worm|
|Mydoom.A (January 26, 2004)||Novarg.A, Mimail.R||1.0, 2.0, 3.0, 4.0|
|Mydoom.B (January 28, 2004)||1.0, 2.0, 3.0, 4.0|
|Doomjuice.A (February 9, 2004)||Mydoom.C||2.0, 3.0, 4.0|
|Doomjuice.B (February 11, 2004)||3.0, 4.0|
|Mydoom.E, Mydoom.F, Mydoom.G, Mydoom.J, Mydoom.L||4.0|
|Mydoom.O (July 27, 2004)||W32/Mydoom.o@MM, W32.Mydoom.M@mm WORM_MYDOOM.M||4.0|
|Zindos.A (July 27, 2004)||4.0|
Article ID: 836528 - Last Review: 06/20/2014 08:57:00 - Revision: 15.0
- kbvirus kberrmsg kbprb kbinfo KB836528