The guts of the Doom worm have now been pulled out, analysed and posted on the web.
However, the worm — which is thought to have originated in Russia — is continuing to spread with ferocity as the rest of the world wakes up. All the main antivirus vendors have updates ready to go but are bracing themselves as the east coast of the US starts up its PCs.
Some companies are following the advice of various AV companies and shutting down email networks until they can be rid of the worm, while email users in general are reporting slower or unresponsive systems as the pipes are clogged up.
Kaspersky Labs a few hours ago estimated 300,000 computers were carrying the worm and early analysis has shown that a network of infected computers was built up before the worm was released — the same approach used by the SoBig.F worm.
It spreads via email and Kazaa, it has its own proxy server, enabling it to spoof addresses, eight different message headers, 18 attachment names and five file extensions. If you open it, a Notepad with random characters appears, and the worm immediately starts installing itself in various parts of your PC.
Two files are put in the Windows folder — taskmon.exe (Worm program) and shimgapi.dll (a remote access program). They are registered in your PC memory to auto-run when you start up the machine.
One this is done, it scans for email addresses, which it uses to send itself out using its proxy server. It may also start generating spam as others have done in the past. It checks if Kazaa is installed and then puts a variety of differently named files in the Shared Folder.
The backdoor program is wide-ranging and can grab a lot of damaging data as well as introduce other programs later on. And then, of course, it prepares a DoS attack on SCO to start running on February 1 and finishing 12 days later.
All in all, this is extremely nasty. If you have the worm on your system, the best page we have found so far to get rid of it is Symantec's. Upgrade your virus definitions and run a complete scan. Then you'll have to start rooting around the registry to kill it. Enjoy.