W32/MyDoom-Q

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlibs.exe

and delete it if it exists.

Close the registry editor.

W32/MyDoom-Q is an email worm.

W32/MyDoom-Q spreads by emailing a copy of itself to addresses found on the local hard disk in files with the extensions TXT, DHTM, MSG, HTM, XML, EML, HTML, SHT, SHTM, SHTML, JSE, JSP, JS, PHP, CFG, ASP, ODS, MMF, DBX, TBB, ADB, PL and WAB.

The worm also sends itself to addresses it finds via the Yahoo People Search facility of the Yahoo website.

W32/MyDoom-Q does not send email to addresses that contain any of the following strings:

.edu
Bug
ugs
bug
upport
ICROSOFT
icrosoft
oot
dmin
ymant
avp
ecur
@MM
ebmast
help
opho
inpris
omain
senet
panda
32.
@mm
msn
inux
umit
nfo
irus
buse
orton
cafee
spam
Spam
SPAM
ntivi
eport
user
inzip
inrar
rend
pdate
USER
ating
ample
ists
persk
ccoun
ompu
msdn
YOU
you
oogle
arsoft
otmail
sarc
soft
ware
.gov
.mil
cribe
list
eturn
omment
Sale
sale
CRIBE
gmail
ruslis
ibm
win

Email sent by W32/MyDoom-Q has a spoofed sender and the following other characteristics:

Subject line :

SN: New secure mail
Secure delivery
failed transaction
Re: hello (Secure-Mail)
Re: Extended Mail
Delivery Status (Secure)
Re: Server Reply
SN: Server Status

Message text : made up of 3 parts, one from each of the following lists.

Part 1:

<domain> :: Automatically Secure Delivery: for
<user>.

<domain> :: Mail Delivery Server System: for
<user>.

<domain> :: Extended secure mail message available at:
<user>.

<domain> :: Secure Mail Server Notification: for
<user>.

<domain> :: New mail secure method implement: for
<user>.

Part 2:

New policy requested by mail server to returned mail as a secure compiled
attachment (Zip).

Now a new message is available as secure Zip file format.
Due to new policies on clients.

This message is available as a secure Zip file format due to a new security policy.

For security measures this message has been packed as Zip format.
This is a newly added security feature.

New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.

You have received a message that implements secure delivery technology.
Message available as a secure Zip file.

Part 3:

This message is an automatically server notice
from Administration at <domain>.

Server Notice: New security feature added. MSG:ID: 455sec86
from <domain>.

New feature added for security reasons
from <domain>.

Automatically server notice:,
Server reply from <domain>.

New service policy for security added from <domain>.

The attached filename is made up of one of the following names:

mail
message
attachment
transcript
text
document
file
readme

with one of the following endings:

.exe
-txt.exe
-htm.exe
-txt.scr

The attached file may also be a ZIP file. W32/MyDoom-Q is an email worm.

When run the worm copies itself to the Windows System folder as winlibs.exe and adds the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlibs.exe

W32/MyDoom-Q spreads by emailing a copy of itself to addresses found on the local hard disk in files with the extensions TXT, DHTM, MSG, HTM, XML, EML, HTML, SHT, SHTM, SHTML, JSE, JSP, JS, PHP, CFG, ASP, ODS, MMF, DBX, TBB, ADB, PL and WAB.

The worm also sends itself to addresses it finds via the Yahoo People Search facility of the Yahoo website.

W32/MyDoom-Q does not send email to addresses that contain any of the following strings:

.edu
Bug
ugs
bug
upport
ICROSOFT
icrosoft
oot
dmin
ymant
avp
ecur
@MM
ebmast
help
opho
inpris
omain
senet
panda
32.
@mm
msn
inux
umit
nfo
irus
buse
orton
cafee
spam
Spam
SPAM
ntivi
eport
user
inzip
inrar
rend
pdate
USER
ating
ample
ists
persk
ccoun
ompu
msdn
YOU
you
oogle
arsoft
otmail
sarc
soft
ware
.gov
.mil
cribe
list
eturn
omment
Sale
sale
CRIBE
gmail
ruslis
ibm
win

Email sent by W32/MyDoom-Q has a spoofed sender and the following other characteristics:

Subject line :

SN: New secure mail
Secure delivery
failed transaction
Re: hello (Secure-Mail)
Re: Extended Mail
Delivery Status (Secure)
Re: Server Reply
SN: Server Status

Message text : made up of 3 parts, one from each of the following lists.

Part 1:

<domain> :: Automatically Secure Delivery: for
<user>.

<domain> :: Mail Delivery Server System: for
<user>.

<domain> :: Extended secure mail message available at:
<user>.

<domain> :: Secure Mail Server Notification: for
<user>.

<domain> :: New mail secure method implement: for
<user>.

Part 2:

New policy requested by mail server to returned mail as a secure compiled
attachment (Zip).

Now a new message is available as secure Zip file format.
Due to new policies on clients.

This message is available as a secure Zip file format due to a new security policy.

For security measures this message has been packed as Zip format.
This is a newly added security feature.

New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.

You have received a message that implements secure delivery technology.
Message available as a secure Zip file.

Part 3:

This message is an automatically server notice
from Administration at <domain>.

Server Notice: New security feature added. MSG:ID: 455sec86
from <domain>.

New feature added for security reasons
from <domain>.

Automatically server notice:,
Server reply from <domain>.

New service policy for security added from <domain>.

The attached filename is made up of one of the following names:

mail
message
attachment
transcript
text
document
file
readme

with one of the following endings:

.exe
-txt.exe
-htm.exe
-txt.scr

The attached file may also be a ZIP file.