Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Method of propagation:
• Mcafee: W32/Mydoom.gen@MM
• Kaspersky: Email-Worm.Win32.Mydoom.bh
• F-Secure: Email-Worm.Win32.Mydoom.bh
• Sophos: W32/MyDoom-BX
• Panda: W32/Mydoom.DL.worm
• Grisoft: I-Worm/Generic.BXO
• Eset: Win32/Mydoom.NA
• Bitdefender: Generic.Mydoom.4C96A5D8
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Blocks access to security websites
• Uses its own Email engine
• Lowers security settings
• Registry modification
• Third party control
It copies itself to the following location:
It deletes the initially executed copy of itself.
The following files are created:
– A file that is for temporary use and it might be deleted afterwards:
%random character string%
.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
One of the following values is added in order to run the process after reboot:
• Driver Update="
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The sender address is spoofed.
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
One of the following:
• A friendly warning
• Greetings. Please read on.
• Hello there! Read on.
• Hey, just warning you
• HEY, THIS IS KINDA URGENT
• Some important information
• You might want to read this...
• You need to protect yourself
In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.
– It is constructed using a regular expression.
– In some cases it may be empty.
– In some cases it may contain random characters.
The body of the email is one of the following:
• I don't know if you have heard yet or not but there's a deadly computer virus going around lately...
I got caught by it the other day and lost all my files.
Luckily Microsoft just released a fix which will protect you from it.
I've attached the fix to this email, so you'll be fine if you install it
Please open the attached file. It contains very important information concerning you.
• Please open the attached file. It contains very important information concerning you.
• I found a file that has a lot of information about YOU in it, I thought you might want to know about it.
It's attached to this email, so open it if you're interested.
• Hey, I assume you've heard about that new computer virus?
A friend of mine got hit by it the other day and lost EVERY file on his compuiter.
I attached a fix for it to this email, so you should be fine if you install it.
The filename of the attachment is constructed out of the following:
– It starts with one of the following:
%random character string%
The file extension is one of the following:
The attachment is a copy of the malware itself.
The attachment is an archive containing a copy of the malware itself.
The email looks like the following:
It searches the following files for email addresses:
Address generation for TO field:
To generate addresses it uses the following strings:
• sandra; linda; julie; jimmy; jerry; helen; debby; claudia; brenda;
anna; alice; brent; adam; ted; fred; jack; bill; stan; smith; steve;
matt; dave; dan; joe; jane; bob; robert; peter; tom; ray; mary; serg;
brian; jim; maria; leo; jose; andrew; sam; george; david; kevin; mike;
james; michael; alex; john; accoun; certific; listserv; ntivi;
support; icrosoft; admin; page; the.bat; gold-certs; ca; feste;
submit; not; help; service; privacy; somebody; no; soft; contact;
site; rating; bugs; me; you; your; someone; anyone; nothing; nobody;
noone; webmaster; postmaster; samples; info; root
It uses the same domain list as mentioned above.
The domain is one of the following:
It does not send emails to addresses containing one of the following strings:
• mozilla; utgers.ed; tanford.e; pgp; acketst; secur; isc.o; isi.e;
ripe.; arin.; sendmail; rfc-ed; ietf; iana; usenet; fido; linux;
kernel; google; ibm.com; fsf.; gnu; mit.e; bsd; math; unix; berkeley;
foo.; .mil; gov.; .gov; ruslis; nodomai; mydomai; example; inpris;
borlan; sopho; panda; hotmail; msn.; icrosof; syma; avp; -._!@; -._!;
spm; fcnz; www; abuse; .edu
It does not use the standard MX server.
It has the ability to contact one of the following MX servers:
The host file is modified as explained:
– In this case existing entries are deleted.
– Access to the following domains is effectively blocked:
• www.symantec.com; securityresponse.symantec.com; symantec.com;
www.sophos.com; sophos.com; www.mcafee.com; mcafee.com;
liveupdate.symantecliveupdate.com; www.viruslist.com; viruslist.com;
viruslist.com; f-secure.com; www.f-secure.com; kaspersky.com;
kaspersky-labs.com; www.kaspersky.com; www.networkassociates.com;
networkassociates.com; www.ca.com; ca.com; mast.mcafee.com;
my-etrust.com; www.my-etrust.com; download.mcafee.com;
dispatch.mcafee.com; secure.nai.com; nai.com; www.nai.com;
update.symantec.com; updates.symantec.com; us.mcafee.com;
liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
trendmicro.com; pandasoftware.com; www.pandasoftware.com;
www.trendmicro.com; www.grisoft.com; www.microsoft.com; microsoft.com;
update.microsoft.com; www.virustotal.com; virustotal.com;
www.ahnlab.com; suc.ahnlab.com; auth.ahnlab.com; ahnlab.com
The modified host file will look like this:
As a result remote control capability is provided.
Sends information about:
• Malware uptime
Remote control capabilities:
• Download file
• Execute file
• Kill process
• Move file
It creates the following Mutex:
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Monica Ghitun on Wednesday, October 3, 2007
Description updated by Monica Ghitun on Thursday, October 4, 2007