W32/MyDoom-A

Category: Viruses and Spyware Protection available since:21 Jul 2010 18:08:14 (GMT)
Type: Win32 executable file virus Last Updated:21 Jul 2010 18:08:14 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from
address books and from files with the following extensions: wab,
txt, htm, sht, php, asp, dbx, tbb, adb and pl.

W32/MyDoom-A creates a file called Message in the temp folder and
runs Notepad to display the contents, which displays random characters.

W32/MyDoom-A uses randomly chosen email addresses in the "To:" and
"From:" fields as well as a randomly chosen subject line. The emails
distributing this worm have the following characteristics.

Subject lines:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Message texts:
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary
attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment filenames:
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

The worm can also copy itself into the shared folder of the
KaZaA peer-to-peer application with one of the following filenames
and a PIF, EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5

W32/MyDoom-A creates a file called taskmon.exe in the system or
temp folder and adds the following registry entry to run this
file every time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe

Please note that on Windows 95/98/Me, there is a legitimate file
called taskmon.exe in the Windows folder.

W32/MyDoom-A also drops a file named shimgapi.dll to the temp or
system folder. This is a backdoor program loaded by the worm that
allows outsiders to connect to TCP port 3127. The DLL adds the
following registry entry so that it is run on startup:

HKCR\CLSID\E6FB5E20-DE35-11CF-9C87-00AA005127ED\InProcServer32\
Default= "<location of dll>"

The worm will also add the following entries to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Between the 1st and 12th February 2004, the worm will attempt a
denial-of-service attack on www.sco.com, sending numerous GET
requests to the web server. After the 12th February W32/MyDoom-A
will no longer spread, due to an expiry date set in the code. It
will, however, still run the backdoor component.

download Try Sophos products for free
Download now