Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Mydoom.Q@mm
Type:Worm 
Size:27,136 Bytes 
Origin: 
Date:08-16-2004 
Damage:Sent by email.  
VDF Version:6.27.00.11 
Danger:Low 
Distribution:Medium 

General DescriptionOperating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

DistributionThe worm sends itself by email using its own SMTP engine. It looks for email addresses into files with the following extensions:
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.wab
.pl

The email sent by this worm has the following structure:
Subject: Photos
Message: LOL!;))))
Attachment: photos_arc.exe

Worm/MyDoom.s is not sent to emailaddresses that contain one of the following domain names:
avpsyma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
be_loyal:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
bugs
rating
site
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
abuse
upport
www
spm
spam
www
secur
abuse

Technical DetailsWhen activated, Worm/MyDoom.s creates the file "Message" in the Windows temporary folder and opens it with Notepad editor. This file contains waste data.
Then the worm copies itself in the following directories:
%SystemDIR%\winpsd.exe
%WindowsDIR%\rasor38a.dll
and makes the registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"winpsd"="%SystemDIR%winpsd.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer
"InstaledFlashhMx"="1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Worm/MyDoom.s downloads the following backdoor files from www.richcolour.com or zenadjuice.com:
ispy.1.jpg
coco3.jpg
temp587.gif
temp728.gif
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .