W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit.
When first run the worm copies itself to the Windows system folder as mathchk.exe and creates the following registry entries so as to auto-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKLM\System\CurrentControlSet\Control\Lsa\
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKCU\System\CurrentControlSet\Control\Lsa
RealPlayer Ath Check=
mathchk.exe
The worm will attempt to harvest email addresses from files on the local hard disk.
Emails sent by W32/MyDoom-AJ have the following characteristics:
Subject line chosen from one of the following, possibly in all uppper case or all in lower case:
Good day
Hello
Server Report
Status
<blank>
Message text chosen from:
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
The original message was included as an attachment.
<junk>
Attached filename chosen from the following with an extension chosen from (bat cmd exe scr pif zip):
body
data
doc
document
file
message
readme
text