W32/MyDoom-Z

Please follow the instructions for removing worms.

Please contact technical support.

W32/MyDoom-Z is a network and email worm which also contains backdoor functionality. The worm spreads by emailing itself and copying itself into Kazaa shared folders. W32/MyDoom-Z is a network and email worm which also contains backdoor functionality.

The worm forges the 'from' address on email that it sends. The email will have a fake from address, apparently from a domain that provides free email accounts.
The email has the following characteristics:

Subject line :

Fw: remember me?__
Fw: hi
Fw: hello sweety :>
Fw: my photos
Fw: that's me :-d
Fw: (no subject)
Fw: it's me
Fw: hi, it's me
Fw: 2 new photos
Fw: new photos
Fw: jenna's photos :)
Remember me?__
Hi
Hello sweety :>
My photos
That's me :-d
(no subject)
It's me
Hi, it's me
2 new photos
New photos
Look!_0
Fw: cool
:))
:)
Fw:
Re:
Re[2]:
Fw:cool
Re:cool
Re[2]:cool
Fw:cool!
Re:cool!
Re[2]:cool!
Fw:fun pictures
Re:fun pictures
Re[2]:fun pictures
Fw:fun pictures
Re:fun pictures
Re[2]:fun pictures
Re:fun pictures

Attached file:

Photos.arc.cpl
My.photos.cpl
Newphotos.cpl
New.photos.cpl
Photo.se.cpl
Foto.cpl
Fotos.cpl
My.foto.cpl
Arc.cpl
Photofile.cpl
Photoarchive.cpl
Myfoto.cpl
Photos.arc.exe
My.photos.exe
Myphotos.arc.exe
Newphotos.exe
New.photos.exe
Photo.se.exe
Photos.exe.safe
Foto.exe
Fotos.exe
My.foto.exe
Arc.exe
Photofile.exe
Photoarchive.exe
Photos.selfextracting.exe
Myfoto.exe
Julia038.jpg(lots of space).pif
Marie.dancing.jpg(lots of space).pif
Nude..jpg(lots of space).pif
Photo08.jpg(lots of space).pif
Sunny.jpg(lots of space).pif
With.flowers.jpg(lots of space).pif
2004042301.jpg(lots of space).pif
Me.01.jpg(lots of space).pif
Dcp.0002.jpg(lots of space).pif
Black.gif(lots of space).pif
Photo.jpg(lots of space).pif
Pic.jpg(lots of space).pif
Document.jpg(lots of space).pif
Flowers.jpg(lots of space).pif
Me.01.jpg(lots of space).pif
My.photo.jpg(lots of space).pif

The worm may also arrive in a ZIP file named:
Photos.zip
Myphotos.zip
My.photos.zip
Fotos.zip
Images.zip
New.photos.zip
Pic.zip
New.pic.zip
Arhive.zip

W32/MyDoom-Z also spreads via the Kazaa peer to peer network by dropping copies of itself in the Kazaa shared folder. Also, the worm may send ICQ messages to other users with the following lines:

"funy game http://www.scionicmusic.com/a"...
"i now play in game http://www.scionicmu"...
"my photos (archived) http://www.llc.uni"...
"http://www.llc.unibo.it/claroline142/ph"...
"http://www.llc.unibo.it/claroline142/ph"...
"http://65.110.51.150/icon/game.exe LOL!"...
"best game http://65.110.51.150/icon/gam"...
"http://64.40.98.94/icon/game.exe funny "...
"http://64.40.98.94/icon/game.exe :-):-)"...
"funn http://64.40.98.94/icon/game.exe :"...

When W32/MyDoom-Z is run it copies itself to services.exe in the Windows folder or nb32ext.txt in the Windows system folder and creates the following registry entry pointing to the above copies to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
RPCserv

HKLM\System\CurrentControlSet\Services\
NetBios ext

W32/MyDoom-Z will also disable registry editing tools by setting:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
DisableRegistryTools = 0

The worm will also allow itself to bypass the firewall by modifying registry entry in:

HKLM\System\CurrentControlSet???\Services\SharedAccress\
DomainProfile\AuthorizedApplications\LIst

W32/MyDoom-Z will also attempt to terminate any security related process on the system and modify the host table in <Windows system folder>\drivers\etc\hosts to prevent access to security related websites.

W32/MyDoom-Z may also download further components from predefined websites. These files contain W32/Surila-C.