Name: I-Worm.Mydoom. Category: Viruses Description: Details I-Worm.Mydoom.q Mydoom.q is an Internet worm that spreads via an email attachment. It is written in C++ and packed with UPX. The compressed file size is 27136 bytes and unpacked - 65024. Installation Once Mydoom.q is launched it copies the main component into the Windows directory under the name rasor38a.dll and into the Windows system folder under the name winpsd.exe. Finally, Mydoom.q creates the following key in the system registry: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] "winpsd"="winpsd.exe" Mydoom.q also creates a mutex named 43jfds93872 to prevent duplicate infections. Propagation Mydoom.q scans the infected machine for files with the following extensions: txt htmb shtl phpq aspd dbxn tbbg adbh pl wab Email characteristics Subject: photos Body text: LOL!;)))) Attachment name: photos_arc.exe Payload Mydoom.q attempts to download Backdoor.Win32.Surila.g, a Trojan, from a list of infected sites contained in the body of the worm: http://www.richcolour.com/ispy.x.xxx http://www.richcolour.com/coco3.xxx http://www.richcolour.com/guestbook/temp/temp587.xxx http://zenandjuice.com/guestbook/temp/temp728.xxx If the backdoor is downloaded successfully, it is saved in the Windows directory under the name winvpn32.exe and then launched. A key is also created in the system registry signaling successful installation: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer] "InstaledFlashhMX"="1" Mydoom.q scans for this flag and stops attempting to download the Trojan once the flag is tagged '1'. Other Mydoom.q is programmed to stop spreading on August 20 at 21:11:11 (according to the local machine time). However, Backdoor.Win32.Surila.g does not have an expiration date, meaning that infected machines remain open to remote adminstration unless the Trjoan is removed.