high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 September 2004 21:29:50 (GMT) |
| Last updated | 16 September 2004 09:34:48 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/MyDoom-U is a worm which spreads by email. When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions:
CFG, CGI, DHT, EML, JSP, MHT, MSG, PHP, STM, UIN, VBS, WAB, XLS, HTM, TXT, SHT, ASP, DBX and TBB.
W32/MyDoom-U uses randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line.
The emails distributing this worm have the following characteristics:
Subject line:
hello
hi
Hi!
Re: Hi
important
Re: Your document
Private document
Re: Question
Thank you!
thanks!
Re: Status
read it immediately
my
Re: Proof of concept
Notice again
You win!
News
Information
Re: Message
[random collection of characters]
Message text:
New game
Please confirm the document.
For further details see the attachment.
Virus removal tool
Can you confirm it?
Monthly news report.
Please read the important document.
Please read the attached file!
See attached file for details.
fun!
lol!
See the file.
game
Please answer quickly!
apply patch.
For more details see the attachment.
Waiting for a Response. Please read the attachment.
You are infected by virus. Run this exe
Thanks!
screensaverlol!
relax
Your archive is attached.
Attachment file:
lol
fun
antivirus
patch
new
pic
photo
game
file
message
letter
information
info
file
details
data
bill
new
report
doc
document
[random collection of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR, or ZIP.
W32/MyDoom-U will copy itself to the Windows system folder using the filename WINSPF32.EXE and sets the following registry entry to point to this copy to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSPF
W32/MyDoom-U will also create the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\
Version = FrankenShteiN
W32/MyDoom-U may also copy itself into the startup folder as RX32HH00.EXE and download a file from a remote server.
Sophos anti-virus products since version 3.85 have been capable of detecting this worm as W32/MyDoom-Gen without requiring an update.
|
