Virus Mydoom
Mydoom is a mass-mailing worm.
It copies itself to the %System% directory as a randomly-named file with an extension of .BAT, .EXE, .PIF,
.CMD, or .SCR.
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"(random letters)" = %SysDir% \(random letters) [.bat, .exe, .pif, .cmd, or .scr]
"Taskmon" = "%System%\taskmon.exe " (mydoom.j)
"SVHOST" = "%System%\svhost.exe" (mydoom.i)
"Services"="%windir%\services.exe" (mydoom.m)
Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location.
By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable: The worm locates the Windows installation folder (by default,
this is C:\Windows or C:\Winnt) and copies itself to that location.
Mydoom.ab creates the following registry entries to hook Windows startup which creates a service:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBios Ext
"ImagePath" = %windir%\services.exe serv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBios Ext
"ImagePath" = %windir%\services.exe serv
The virus uses a randomly-named DLL that it creates in the Windows System directory:
%SysDir% \(random letters) .dll (size varies)
This DLL is injected into the EXPLORER.EXE upon reboot via these registry keys:
HKEY_CLAssES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32 "(Default)" = %SysDir%\(random letters) .dll
HKEY_CLAssES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir% \(random letters) .dll
Mydoom sends itself, or its .zip archive, to the email addresses it finds on the computer.
Mydoom.ab spreads through ICQ by sending messages and copies itself to the Kazaa-shared folder.
It monitors the process list and tries to termintate some antivirus and other programs.
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
