W32/MyDoom-D is an email worm for the Windows platform.
W32/MyDoom-D will attempt to Log Off the user if the worm is run on or after 01 December 2004. The worm will start Internet Explorer and display the following URL:
http://support.microsoft.com/default.aspx?kbid=325126
W32/MyDoom-D will attempt to terminate a number of anti-virus products.
W32/MyDoom-D is an email worm for the Windows platform.
W32/MyDoom-D will arrive by email as an attachment with one of the following base filenames:
www.flashecard.com?postcard=viewcard?3490
www.videomail-direct.com?download-video?mpg
photo_album
budget_report
and an extension of:
ZIP
SCR
HTML.SCR
PIF
EXE
W32/MyDoom-D will spoof the "from" email address by combining one name from the
following list:
Jennifer
Barbara
Linda
Susan
Eric
Kevin
Mary
Robert
John
Maria
Alex
Pamela
with a domain name from the following list:
@aol.com
@hotmail.com
@yahoo.com
@msn.com
@excite.com
@mail.com
The Subject of the email will be one of the following:
Album
Ok, here it is...
You'v got 1 VideoMail!
You've received a Postcard!
The Message of the email will be one of the following:
remember, just don't tell john or sandra about this ok?
later.
OR
my pics...like it?
humm sexy :) huh? heheh
OR
You have received a new postcard from Flashecard.com!
From: <Name>
To pick up your postcard follow this web address
<URL>
or click the attached link.
We hope you enjoy your postcard, and if you do, please
take a moment to send a few yourself!
(Your message will be available for 30 days.)
Please visit our site for more information.
<URL>
OR
You`ve got a stream video mail from VideoMail-Direct.com!
From: <Name>
To view your new video mail message follow the link
<URL>
or click the attached link.
If you wish to reply, follow the instructions included in the message.
(Your message will be available for 30 days.)
Please visit our site for more information.
<URL>
W32/MyDoom-D will scan an infected computer's hard-drive for email addresses, searching through Microsoft address books and through files located on the computer that might contain email addresses (for example, cached internet web pages).
W32/MyDoom-D will avoid sending itself to email addresses that contain the following strings:
icrosof
syma
hotmail
anda
opho
borlan
npris
xample
mydom
@domai
ruslis
.gov
.mil
@foo
berkeley
unix
math
mit.e
fsf.
oogle
kernel
linux
fido
senet
@iana
ripe
isi.e
arin.
rfc-ed
isc.o
ecur
acketst
tanford.e
utgers.ed
ample
info
root@
ostmaster@
ebmaster@
ugs@
ating@
ontact@
soft
rivacy
ervice
help
ubmit@
feste
cert
page
upport
ntivi
istser
ertific
ccoun
Spam
SPAM
spam
abuse
cafee
@messagelab
@avp
kasp
winzip
winrar
pdate
irus
ahoo
buse@
sale
(at)
W32/MyDoom-D will start Internet Explorer and display the following URL:
http://support.microsoft.com/default.aspx?kbid=325126
When first run, W32/MyDoom-D will copy itself to the Windows System folder as SYSHOST.EXE. In order to run automatically each time Windows is started, 32/MyDoom-D will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Update = <SYSTEM>\syshost.exe
W32/MyDoom-D will set the following registry entries as infection markers:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SYSHOST\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SYSHOST\
W32/MyDoom-D will attempt to terminate any processes containing the following strings in their process name:
regedit
task
msconfig
AV
MC
Av
Mc
av
mc
IEFrame
nti
iru
ire
cc
ecu
can
scn
KV
fr
If W32/MyDoom-D is run on or after 01 December 2004, the worm will attempt to Log Off the user.