Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.MyDoom.gen; W32/MyDoom-Gen; Win32.Mydoom.S@mm
Type:Worm 
Size:37,888 Bytes 
Origin: 
Date:09-03-2004 
Damage:It opens a TCP port and sends itself by email. 
VDF Version:6.27.0.46 
Danger:Medium 
Distribution:Medium 

General DescriptionDamage routine:
Opens a TCP port and sends itself via email.

Affected platforms:
* Windows 95;
* Windows 98;
* Windows ME;
* Windows NT;
* Windows 2000;
* Windows XP;
* Windows Server 2003.

DistributionThe worm sends itself by email to all email addresses it can find, using its own SMTP engine.

The email subject is one of the following:
DOCUMENT
Error
hello
Hello
Hi
hi
HI
Mail Delivery System
Mail Transaction Failed
MAIL TRANSACTION FAILED
RE:my .....
Server Report
Test
test
TEST

The attachment name is one from the list below:
body
data
doc
document
Error
file
Information
message
Msg
readme
rest
text

The extension is:
cmd
pif
scr
exe
bat
or
zip (if the worm sends itself as ZIP archive).

The email contains one of the following texts:
!!!!!!!!!!!, check the attachment!!!.
(Norton Anti Virus : No Virusses Found , Check The Attachment For
More Information.
(Norton ANti Virus,Panda,Mcafee No Virusses Found).
Check the attachment for more information!.
check the attachment to get the lastest news.
check.
come back my friend.
error , sorry we can't send the email so check the attachment.
error to send the mail!!!!!.
error, check the attachment for more information.
failed to send the email!, check the attachment for more information.
failed,check the attachment for more information.
hello :)
hello check the attachment thx.
hello.
here is what you need,thx.
loooooool ;)))
Mail transaction failed.
Partial message is available.
sorry we can't send the mail try later , check the attachment for more
information.
test
the attachment for more information.
Try Later, Check the Attachment.
you can check the attachment for more information.
your attachment , thx.

Technical DetailsIf the email's attachment is executed, the Notepad.exe starts. The window has the following appearance:

http://www.antivir.de/uploads/RTEmagicC_worm_mydoom_t.JPG.jpg

The backdoor component of the worm opens the TCP Port 5422 permanentlyand is listening for incoming connections.

A copy of the worm is created in the <%system%> folder with the filename "tasker.exe".
The worm creates the following Registry entry in order to run automatically at the next system restart:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"Task"="\\tasker.exe"

The file Nemog.dll (8.192 bytes) is also created in the <%system%> directory. The following Registry entry is created in order that the DLL file be loaded at the next system restart:

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE3-11CF-9C87-00AA005127ED}\InProcServer32]
@="\\Nemog.dll" "ThreadingModel"="Apartment"

The following message can be read within the worm's body:
- MSG To SkyNet-Netsky: i know skynet is sucks so fuck off and i will complete my projects ok baby!,the second author for mydoom worms!!, he will complete the project, more is coming soon better than better,Kuwait.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .