Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Apr 21, 2005 | Updated Sep 15, 2017

Worm:Win32/Mydoom.BI@mm

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Win32/Mydoom.BI@mm is a mass-mailing worm that targets computers running certain versions of Microsoft Windows. The worm sends itself to e-mail addresses that it gathers from Web site queries and from the infected computer. The worm also drops the Trojans TrojanProxy:Win32/Prodoom.A and PWS:Win32/Banker.JX.
To manually recover from infection by Win32/Mydoom.BI@mm, perform the following steps:
  1. Disconnect from the Internet.
  2. Restart your computer in safe mode.
  3. End the worm-related processes.
  4. Delete worm-related files.
  5. Delete the worm-related registry entries.
  6. Restart your computer.
  7. Delete another worm-related file.
  8. Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Restart your computer in safe mode

To start your computer in safe mode
  1. Remove all floppy disks and CDs from your computer, and then restart your computer.
  2. When prompted, press F8. If Windows starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows displays graphical output.
  3. From the Windows Advanced Options Menu, select a safe mode option.

End the worm-related processes

Ending the worm-related process will help stop your computer from infecting other computers as well as resolve the crashing, rebooting, and performance degradation issues caused by the worm.
To end the worm-related processes
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Select the process winlog0n.exe, and click End Process.
  4. Select the process svch0st.exe, and click End Process.

Delete worm-related files

To delete worm-related files
  1. Click Start, and click Run.
  2. In the Open field, type <system folder>, for example, %windir%\system32
  3. Click OK.
  4. Click Name to sort files by name.
  5. If the file winlog0n.exe is in the list, delete it. This is the Win32/Mydoom.BI@mm worm file.
  6. If the file svch0st.exe is in the list, delete it. This is the PWS:Win32/Banker.JX Trojan file that is dropped by Win32/Mydoom.BI@mm.
  7. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  8. Click Yes.
If deleting the files fails, use the following steps to verify that the files are not running:
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Confirm that winlog0n.exe and svch0st.exe are not in the list.

Delete the worm-related registry entries

To delete the worm-related registry entries
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, right-click the following value, if it exists: WINLOG0N
    (This is a registry value created by Win32/Mydoom.BI@mm.)
  5. Select Delete and click Yes to delete the value.
  6. In the left pane, navigate to the key:
    KEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32
  7. In the right pane, right-click the following value, if it exists:
    (Default) = <system folder>\wxapi.dll
    (This is a registry value created by TrojanProxy:Win32/Prodoom.A, which is a Trojan dropped by Win32/Mydoom.BI@mm.)
  8. Click Delete and click Yes to delete the value.
  9. In the left pane, navigate to the key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  10. In the right pane, right-click the following value, if it exists: WINLOG0N
    (This is another registry value created by Win32/Mydoom.BI@mm.)
  11. Select Delete and click Yes to delete the value.
  12. In the right pane, right-click the following value, if it exists:
    Systems = <system folder>\svch0st.exe
    (This is a registry value created by PWS:Win32/Banker.JX, which is another Trojan dropped by Win32/Mydoom.BI@mm.)
  13. Select Delete and click Yes to delete the value.
  14. Close the Registry Editor.

Restart your computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Delete another worm-related file

To delete the worm-related file
  1. Click Start, and click Run.
  2. In the Open field, type <system folder>, for example, %windir%\system32
  3. Click OK.
  4. Click Name to sort files by name.
  5. If the file wxapi.dll is in the list, delete it. (This is the file related to TrojanProxy:Win32/Prodoom.A, which is dropped by Win32/Mydoom.BI@mm.)
  6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  7. Click Yes.
If deleting the file fails, use the following steps to verify that wxapi.dll is not running:
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Confirm that wxapi.dll is not in the list.

Take steps to prevent re-infection

Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the Preventing Infection section for more information.
Follow us