NEWS FROM THE LAB - Thursday, February 12, 2004

Doomhunter Posted by Mikko @ 19:07 GMT

A virus (known as Doomhunter) that removes the Mydoom virus seems to be going around.

It removes Mydoom.A and B, completely with all files and registry keys.

After this, Doomhunter apparently starts listening on port TCP 3127 - waiting for an infected machine to try to connect to it. When this happens, it sends itself to the attacking IP through the backdoor, removes the virus and continues listening from there.