Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Mydoom.o@MM, I-Worm.Mydoom.R
Type:Worm 
Size:28,832 Bytes (variable) 
Origin: 
Date:07-26-2004 
Damage:Sent by email. 
VDF Version:6.26.00.44 
Danger:Low 
Distribution:Medium 

General DescriptionOperating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

DistributionWorm/MyDoom has its own SMTP engine. The email sent by the worm can vary.

Subject: one of the following lines:
Returned mail: see transcript for details
Returned mail: Data format error
sfupmpndzmivdnog
Mail System Error - Returned Mail
Delivery reports about your e-mail
%variable.email@adresse.de%
MESSAGE COULD NOT BE DELIVERED
test
Message could not be delivered

Body: one of the following:
This message was not delivered due to the following reason:
The original message was included as attachment
The original message was received at Mon, 26 Jul 2004 17:00:..
Dear user %email@adresse.de%, administration of %adresse.de% would like to inform you that,

Attachment: one of the files below:
qcwjcy.zip, text.zip, message.cmd, ipdwlzg.zip, readme.exe, attachment.pif, instruction.zip, message.scr, transcript.zip, message.exe, letter.zip, cgzzyed.scr, mail.zip, transcript.scr, wahiug.pif, document.zip, message.zip, Text.pif, rgizthm.zip, Message.cmd, attachment.zip, attachment.exe, transcript.com, document.com, letter.pif, file.scr, file.zip, tbefjr.zip, mail.scr, sdf.zip, instruction.scr, LWGQHJK.EXE, jrndii.zip, readme.zip, transcript.exe, rij.zip, LETTER.SCR, FILE.PIF, document.scr, Message.pif, fwgb.zip, imy.scr, ckyl.zip, hczing.pif, INSTRUCTION.CMD, transcript.bat, vrai.zip, game@zone.com.zip, tiuqr.zip, now@zone.com, privacy@180solutions.com.zip, readme.scr, vxterp.zip, tixbie.zip, uaey.com, oxyb.scr, ojs.zip

Technical DetailsWorm/MyDoom.m (28,832 Bytes)is packed with UPX. When activated, it creates the following files:
C:\Documents and Settings\%USER%\Local Settings\Temp\zincite.log
C:\Documents and Settings\%USER%\Local Settings\Temp\bseobf.log
C:\%WinDir%\services.exe (8.912 Bytes )
C:\%WinDir%\java.exe (28.832 Bytes )

The worm makes the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
"JavaVM"="C:\\%WinDir%\\java.exe"
"Services"="C:\\%WinDir%\\services.exe"

HKEY_CURRENT_USER\Software\Microsoft\Daemon\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon\
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .