Virus Name
Risk Assessment
W32/Mydoom@MM
Corporate User
:
High-Outbreak
Home User
:
High-Outbreak
Virus Information
Discovery Date:
01/26/2004
Origin:
Unknown
Length:
22,528 bytes
Type:
Virus
SubType:
E-mail
Minimum DAT:
Release Date:
4319
01/26/2004
Minimum Engine:
4.2.40
Description Added:
01/26/2004
Description Modified:
01/26/2004 2:44 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This is a mass-mailing worm that arrives in an email message as follows:
From: (spoofed)
Subject: (Random)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528
bytes)
The icon used by the file tries to make it appear as if the attachment is a text file
When this file is run it copies itself to the local system with the following filenames:
c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
%SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It also uses a DLL that it creates in the Windows System directory:
It also uses a DLL that it creates in the Windows System directory:
%SysDir%\shimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The worm opens a connection on TCP port 3127 suggesting remote access
capabilities.
AVERT is currently analyzing this the threat. Details will be posted, as they are
available.
Top of Page
Symptoms
Upon executing the virus, Notepad is opened, filled with nonsense characters.
Existence of the files and registry entry listed above
Top of Page
Method Of Infection
This file tries to spread via email and by copying itself to the shared directory for
Kazaa clients if they are present.
The mailing component harvests address from the local system. Files with the
following extensions are targeted:
wab
adb
tbb
dbx
asp
php
sht
htm
txt
Additionally, the worm contains strings, which it uses to randomly generate, or
guess, addresses.
Top of Page
Removal Instructions
The following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT
Top of Page
Variants
Name
Type
Sub Type
Differences
Top of Page
Aliases
Name
Novarg (F-Secure)
W32.Novarg.A@mm (Symantec)
Win32/Shimg (CA)
WORM_MIMAIL.R (Trend)
