W32/MyDoom-BN

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TaskMon
"<Windows system folder>\taskmon.exe"

and delete it if it exists.

Close the registry editor.

W32/MyDoom-BN is a member of the W32/MyDoom family of email worms.

As the other members of the MyDoom family W32/MyDoom-BN opens Notepad to display the file message that contains random strings.

As the other MyDoom worms W32/MyDoom-BN scans the filesystem and mounted shares for email addresses.

The worm may listen on ports exposing a backdoor which can be made use of by potential attackers.

Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/MyDoom-BN (detected as W32/MyDoom-Gen) since version 3.85. Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/MyDoom-BN (detected as W32/MyDoom-Gen) since version 3.85.

W32/MyDoom-BN is a member of the W32/MyDoom family of email worms.

As the other members of the MyDoom family W32/MyDoom-BN opens Notepad to display the file message that contains random strings.

As the other MyDoom worms W32/MyDoom-BN scans the filesystem and mounted shares for email addresses.

The worm may listen on ports exposing a backdoor which can be made use of by potential attackers.

In order to run automatically W32/MyDoom-BN copies itself to the file taskmon.exe in the Windows system folder and creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TaskMon
"<Windows system folder>\taskmon.exe"

W32/MyDoom-BN will create email messages with one of the following subjects:

Duvido voce me reconher =)
estou longe!!
Eu nao ti vejo a muito tempo.
Eu te amo
lembra de mim??
Oi
Oi a quanto tempo... =)
Saudades de voce!!!
Voce me reconhece??

The following will be the body of the email:

Ola, a quanto tempo! Eu me mudei dai para os Estados Unidos, e faz um tempo que perdemos o contato e consegui seu email atraves de uma amiga sua. Vamos fazer assim, eu vou lhe mandar meu album de fotos se voce me reconhecer, me retorna o email. Quero ver se voce ainda lembra de mim. :)

W32/MyDoom-BN will copy itself to the KaZaa share folder, if available, as one of the following:

activation_crack.<ext>
icq2004-final.<ext>
office_crack.<ext>
rootkitXP.<ext>
strip-girl-2.0bdcom_patches.<ext>
winamp5.<ext>

In the above <ext> will be one of the following at random:

bat
cmd
exe
pif
scr
zip

W32/MyDoom-BN will attach itself to the email with one of the following filenames with one of the extentions listed above:

album
album_de_foto
eu
foto
fotografia
fotos
minhas_fotos

W32/MyDoom-BN will avoid email addresses containing the following:

acketst
arin.
avp
berkeley
borlan
bsd
example
fido
fsf.
gnu
google
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
syma
tanford.e
unix
usenet
utgers.ed

Along with using email addresses found on the infected system, W32/MyDoom-BN may send email that looks as though it comes from one of the following domains:

aol.com.br
bol.com.br
gmail.com
hotmail.com.br
msn.com.br
uol.com.br
yahoo.com.br