W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses
books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP,
ASP, DBX, TBB, ADB and PL.
W32/MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays
W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen
subject line. The emails distributing this worm have the following characteristics.
mail delivery system
mail transaction failed
collection of characters]
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed.
Partial message is available.
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.
W32/MyDoom-A is programmed to not forward itself via email if the recipient email address satisfies various conditions:
The worm can also copy itself into
the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension:
W32/MyDoom-A creates a file called taskmon.exe in the system or temp folder and adds the following registry entry to run
this file every time Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe
Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.
W32/MyDoom-A also drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the
worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is run on startup:
Default= "<location of dll>"
The worm will also add the following entries to the registry:
Between the 1st and 12th February 2004, the worm will attempt a denial-of-service attempt to www.sco.com, sending numerous
GET requests to the web server.
After the 12th February W32/MyDoom-A will no longer spread, due to an expiry date set in the code. It will, however, still
run the backdoor component.
Further reading: MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack