high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 27 January 2004 00:31:29 (GMT) |
| Last updated | 22 July 2010 01:45:15 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
Please read the instructions for removing W32/MyDoom-A.
More Information
W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from
address books and from files with the following extensions: wab,
txt, htm, sht, php, asp, dbx, tbb, adb and pl.
W32/MyDoom-A creates a file called Message in the temp folder and
runs Notepad to display the contents, which displays random characters.
W32/MyDoom-A uses randomly chosen email addresses in the "To:" and
"From:" fields as well as a randomly chosen subject line. The emails
distributing this worm have the following characteristics.
Subject lines:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Message texts:
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary
attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment filenames:
body
data
doc
document
file
message
readme
test
[random collection of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.
The worm can also copy itself into the shared folder of the
KaZaA peer-to-peer application with one of the following filenames
and a PIF, EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
W32/MyDoom-A creates a file called taskmon.exe in the system or
temp folder and adds the following registry entry to run this
file every time Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe
Please note that on Windows 95/98/Me, there is a legitimate file
called taskmon.exe in the Windows folder.
W32/MyDoom-A also drops a file named shimgapi.dll to the temp or
system folder. This is a backdoor program loaded by the worm that
allows outsiders to connect to TCP port 3127. The DLL adds the
following registry entry so that it is run on startup:
HKCR\CLSID\E6FB5E20-DE35-11CF-9C87-00AA005127ED\InProcServer32\
Default= "<location of dll>"
The worm will also add the following entries to the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
Between the 1st and 12th February 2004, the worm will attempt a
denial-of-service attack on www.sco.com, sending numerous GET
requests to the web server. After the 12th February W32/MyDoom-A
will no longer spread, due to an expiry date set in the code. It
will, however, still run the backdoor component.
|
