Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


TASKMON.EXE PROCESS INFORMATION

Process Name  :taskmon.exe

Process Path : %SYSTEM%\taskmon.exe [ C:\Windows\System32\taskmon.exe]

Malware Name  : W32.Mydoom.A@mm

Other Names: I-Worm/Novarg, W32/Mydoom-A, W32/Mydoom@mm, WORM_MIMAIL.R 

Process Type    : Mass mailing Internet worm

Threat level : Low

Process details :

                     Taskmon.exe is dropped by W32.Mydoom.A@mm worm. Novarg aka Mydoom is a mass mailing worm, uses  e-mail addresses collected from .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt files to distribute infected messages. Mydoom worm arrives as an e-mail attachment. The infected attachment name, subject and message body is randomly chosen by the worm. The worm also spreads using KaZaA P2P network.

The infected mail sample is given below.

                     The message subject will contain the string "error", "test", "status", "hi", "hello", "server report", mail delivery error message or random characters. When the infected attachment is executed, it displays garbage of text using Notepad.exe and copies itself to Windows system folder as "taskmon.exe" in the background. It also drops a backdoor file shimgapi.dll in the system folder.

                     W32.Mydoom.A@mm modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"TaskMon"= C:\%SYSTEM%\taskmon.exe 

[ By default, %SYSTEM% will be C:\Windows\System in case of Windows 95/98/ME, C:\Winnt\System32 in case of Windows NT/2000 and C:\Windows\System32 in case of Windows XP ]

The worm also creates following additional key to run the backdoor program.

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll

                      Mydoom worm contains backdoor abilities and it allows hackers to connect to TCP port 3127 on the infected system. It contains payload to perform to DoS attack on www.sco.com. Mydoom worm is detected on 26th January 2004.

How can I protect my system?

                   Solo has incorporated taskmon.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   Solo antivirus can detect and remove W32.Mydoom.A@mm worm safely. If you are already infected with this Worm, you can remove it from your computer using Solo Antivirus software.  Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link