W32/MyDoom-G

Please follow the instructions for removing worms.

W32/MyDoom-G is a worm which spreads by email. When the infected attachment is launched the worm harvests email addresses from address books and from files on the hard disk.

When first run, W32/MyDoom-G creates the file MESSAGE containing random
characters in the temp folder, opens the file in Notepad and then deletes it.

Emails have the following characteristics:

The "To:" and "From:" fields are spoofed.

Subject lines (can be absent or can be one of the following):

Auto-reply
Address verification
Your account is about to be expired
Your account is expired
Expired account
Bank information
Registration rejected
Rejected
excuse me
my photos
Warning
Attention
read!!!
i can tell you the future
your chance
please read
corrupted
missed
unknown
Microsoft
were unable to process your request
i need you
Interesting
were experiencing technical problems
Automatic notification
beauty
kleopatra
dear friend!
Response
Request
notification
price list
question
report
how are you?
hello! :)
confirmed
Email verification
verification
see you
You have been successfully registered
Please, confirm the registration
Registration
Your details
Your account details
service
melissa
pamela
jessica
your website
your text
your music
your letter
your archive
thank you
thanks
thanks!
your document
my details
here is the document
spreadsheet
Your request
do you still love me
do you love me
greetings
hello my friend
account details
your account
from me
Daily Report
summary
price-list
pricelist
attachment
Letter
attach
payment
description
information
paypal
TextFile
MoreInfo
AttachedFile
posting
object
readme
for_you
letter
document
application
all_document
AttachedDocument
message_part2
details
message_details
message
Document
TextDocument
response
account
problem
important
archive
nothing

Message texts (can be absent, same as the subject line, random characters or can be one of the following):

Read the attached message
Here is the file"
Please have a look at the attached file
Please read the attached file
See the attached file for details
Your document is attached
Your file is attached
Hi! check the attachment for details
Test
Details are in the attached document
Read the document
See attachemnt
See attachment
See the attached message
See the attached document
Read this
Look at the document
Look at the attached file
Ok
Okay
See you
Re:
Please, reply
Here is the document
Test
Open the document
Full message is in the attached documen
Please, read and let me know what do you feel
Here it is

Attached file (can have one of the following extensions EXE, SCR, COM, PIF, BAT, CMD or ZIP):

attachment
Letter
attach
att
file
payment
check
bill
news
text
for_you
letter
document
application
all_document

Note, the attached file may have a random filename.

The worm will not send itself to email addresses belonging to domains containing the following strings:

bsd, mit.edu, gnu., fsf., urlon, ibm.com, google., kernel., rfc-edit, sendmail., isi.edu, isc.org, secur, packetstorm, stanford.edu, berkeley, rutgers.edu, ucsd.edu, uci.edu, mozilla., sourceforge, sf.net, slashdot., ymante, example.com, sopho, nai.co, trend.c, trendmic, ruslis, avp, norma, icrosoft., msn.c, hotmail.com, panda, ssagelab, support, .gov, gov., .mil, iana., arin., ripe., ietf. W32/MyDoom-G is a worm which spreads by email. When the infected attachment is launched the worm harvests email addresses from address books and from files on the hard disk.

When first run, W32/MyDoom-G creates the file MESSAGE containing random
characters in the temp folder, opens the file in Notepad and then deletes it.

Emails have the following characteristics:

The "To:" and "From:" fields are spoofed.

Subject lines (can be absent or can be one of the following):

Auto-reply
Address verification
Your account is about to be expired
Your account is expired
Expired account
Bank information
Registration rejected
Rejected
excuse me
my photos
Warning
Attention
read!!!
i can tell you the future
your chance
please read
corrupted
missed
unknown
Microsoft
were unable to process your request
i need you
Interesting
were experiencing technical problems
Automatic notification
beauty
kleopatra
dear friend!
Response
Request
notification
price list
question
report
how are you?
hello! :)
confirmed
Email verification
verification
see you
You have been successfully registered
Please, confirm the registration
Registration
Your details
Your account details
service
melissa
pamela
jessica
your website
your text
your music
your letter
your archive
thank you
thanks
thanks!
your document
my details
here is the document
spreadsheet
Your request
do you still love me
do you love me
greetings
hello my friend
account details
your account
from me
Daily Report
summary
price-list
pricelist
attachment
Letter
attach
payment
description
information
paypal
TextFile
MoreInfo
AttachedFile
posting
object
readme
for_you
letter
document
application
all_document
AttachedDocument
message_part2
details
message_details
message
Document
TextDocument
response
account
problem
important
archive
nothing

Message texts (can be absent, same as the subject line, random characters or can be one of the following):

Read the attached message
Here is the file"
Please have a look at the attached file
Please read the attached file
See the attached file for details
Your document is attached
Your file is attached
Hi! check the attachment for details
Test
Details are in the attached document
Read the document
See attachemnt
See attachment
See the attached message
See the attached document
Read this
Look at the document
Look at the attached file
Ok
Okay
See you
Re:
Please, reply
Here is the document
Test
Open the document
Full message is in the attached documen
Please, read and let me know what do you feel
Here it is

Attached file (can have one of the following extensions EXE, SCR, COM, PIF, BAT, CMD or ZIP):

attachment
Letter
attach
att
file
payment
check
bill
news
text
for_you
letter
document
application
all_document

Note, the attached file may have a random filename.

The worm will not send itself to email addresses belonging to domains containing the following strings:

bsd, mit.edu, gnu., fsf., urlon, ibm.com, google., kernel., rfc-edit, sendmail., isi.edu, isc.org, secur, packetstorm, stanford.edu, berkeley, rutgers.edu, ucsd.edu, uci.edu, mozilla., sourceforge, sf.net, slashdot., ymante, example.com, sopho, nai.co, trend.c, trendmic, ruslis, avp, norma, icrosoft., msn.c, hotmail.com, panda, ssagelab, support, .gov, gov., .mil, iana., arin., ripe., ietf.

W32/MyDoom-G creates a randomly named file in the Windows system or temp folder and adds a randomly named registry entry to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

to run this file every time the user logs on to the computer.

W32/MyDoom-G also drops a randomly named DLL file in the Windows system or
temp folder. The DLL is a backdoor program loaded by the worm that allows remote attackers to connect to TCP port 1080 and upload files for the infected computer to run. The DLL creates the following registry entry to load itself on system restart:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= <location of dll>

The DLL also terminates several processes, for example avpupd, start.exe and
cmd32.exe.

W32/MyDoom-G overwrites PIF files and creates several copies of itself with
filenames matching existing filenames found on the computer but having double extensions, for example <filename>.doc.exe

W32/MyDoom-G attempts a denial of service attack on www.symantec.com by sending numerous HTTP GET requests to this URL.

Hidden inside the W32/MyDoom-G worm's code is the following text, which is never displayed:

to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app.