W32/MyDoom-F

Please read the instructions for removing W32/MyDoom-F.

W32/MyDoom-F is a worm which spreads by email. When the infected attachment is launched the worm harvests email addresses from address books and from files on the hard disk.

W32/MyDoom-F either creates a file in the temp folder and runs Notepad to display the contents or displays one of the following messages:

Unable to open specified file
File cannot be opened
File is corrupted

W32/MyDoom-F 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics:

Subject lines
test
hi
hello
Returned Mail
Confirmation Required
Confirmation
Registration confirmation
please reply
please read
Read this message
Readme
Important
Your account has expired
Expired account
Notification
automatic responder
automatic notification
You have 1 day left
Warning
Information
For your information
For you
Something for you
Read it immediately
Read it immediately!
Your credit card
Schedule
Accident
Attention
stolen
news
recent news
Wanted
fake
unknown
bug
forget
read now!
Current Status
Your request is being processed
Your order is being processed
Your request was registered
Your order was registered
Re:
Undeliverable message
Love is...
Love is
Your account is about to be expired
Your IP was logged
You use illegal File Sharing...
Thank You very very much
hi, it's me
Approved
Re: Approved
Details
Re: Details
Thank you
Re: Thank you
Announcement

Message texts
test
Details are in the attached document. You need Microsoft Office to open it.
See the attached file for details
Please see the attached file for details
The document was sent in compressed format.
Check the attached document.
Everything ok?
OK
Okay
I'm waiting
Read the details.
Here is the document.
I wait for your reply.
Is that from you?
Is that yours?
You are a bad writer
I have your password :)
Something about you
Kill the writer of this document!
We have received this document from your email
Here it is
See you
Greetings
Information about you
Please, reply
Reply
Take it
You are bad

Attachment filenames
msg
doc
document
readme
text
file
data
test
message
body
details
creditcard
attachment
stuff
me
post
posting
textfile
info
information
note
notes
product
bill
check
ps
money
about
story
mail
list
joke
jokes
friend
site
website
object
mail2
part1
part4
part2
part3
misc
disc
paypal
approved
details
your_document
image
resume
photo

Attached files will have an extension of EXE, SCR, COM, PIF, BAT, CMD or ZIP.

The worm will not send itself to email addresses belonging to domains containing the following strings: syma, icrosof, msn., hotmail, panda, sophos, borlan, inpris, example, mydoma, nodoma, ruslis, .gov, gov., .mil, foo., suppo, essagela, nai.co

As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies and Microsoft.

W32/MyDoom-F also drops a randomly named file with the extension DLL in the Windows system or Windows temp folder. The DLL is a backdoor program loaded by the worm that allows remote attackers to connect to TCP port 1080 and upload files for the infected computer to run.

Between the 17th and 22nd of any month the worm will attempt a distributed denial of service attack. There is a one third chance that the attack will be against riaa.com otherwise the attack will be against www.microsoft.com.

W32/MyDoom-F searches for and deletes 40% of files with extensions of AVI, BMP, DOC, JPG, MDB, SAV and XLS.

Unlike earlier variants of the MyDoom worm, this version does not have a "suicide date" at which it stops spreading, and appears to have been signed by its author with the following text:

.-==I am "Irony", made by jxq7==-. W32/MyDoom-F is a worm which spreads by email. When the infected attachment is launched the worm harvests email addresses from address books and from files on the hard disk.

W32/MyDoom-F either creates a file in the temp folder and runs Notepad to display the contents or displays one of the following messages:

Unable to open specified file
File cannot be opened
File is corrupted

W32/MyDoom-F 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics:

Subject lines
test
hi
hello
Returned Mail
Confirmation Required
Confirmation
Registration confirmation
please reply
please read
Read this message
Readme
Important
Your account has expired
Expired account
Notification
automatic responder
automatic notification
You have 1 day left
Warning
Information
For your information
For you
Something for you
Read it immediately
Read it immediately!
Your credit card
Schedule
Accident
Attention
stolen
news
recent news
Wanted
fake
unknown
bug
forget
read now!
Current Status
Your request is being processed
Your order is being processed
Your request was registered
Your order was registered
Re:
Undeliverable message
Love is...
Love is
Your account is about to be expired
Your IP was logged
You use illegal File Sharing...
Thank You very very much
hi, it's me
Approved
Re: Approved
Details
Re: Details
Thank you
Re: Thank you
Announcement

Message texts
test
Details are in the attached document. You need Microsoft Office to open it.
See the attached file for details
Please see the attached file for details
The document was sent in compressed format.
Check the attached document.
Everything ok?
OK
Okay
I'm waiting
Read the details.
Here is the document.
I wait for your reply.
Is that from you?
Is that yours?
You are a bad writer
I have your password :)
Something about you
Kill the writer of this document!
We have received this document from your email
Here it is
See you
Greetings
Information about you
Please, reply
Reply
Take it
You are bad

Attachment filenames
msg
doc
document
readme
text
file
data
test
message
body
details
creditcard
attachment
stuff
me
post
posting
textfile
info
information
note
notes
product
bill
check
ps
money
about
story
mail
list
joke
jokes
friend
site
website
object
mail2
part1
part4
part2
part3
misc
disc
paypal
approved
details
your_document
image
resume
photo

Attached files will have an extension of EXE, SCR, COM, PIF, BAT, CMD or ZIP.

The worm will not send itself to email addresses belonging to domains containing the following strings: syma, icrosof, msn., hotmail, panda, sophos, borlan, inpris, example, mydoma, nodoma, ruslis, .gov, gov., .mil, foo., suppo, essagela, nai.co

As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies and Microsoft.

W32/MyDoom-F creates a randomly named file in the Windows system or Windows temp folder and adds a randomly named registry entry to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

to run this file every time Windows starts up.

The worm will create multiple copies of itself, all with randomly generated filenames, in all folders.

W32/MyDoom-F also drops a randomly named file with the extension DLL in the Windows system or Windows temp folder. The DLL is a backdoor program loaded by the worm that allows remote attackers to connect to TCP port 1080 and upload files for the infected computer to run.

Between the 17th and 22nd of any month the worm will attempt a distributed denial of service attack. There is a one third chance that the attack will be against riaa.com otherwise the attack will be against www.microsoft.com.

W32/MyDoom-F searches for and deletes 40% of files with extensions of AVI, BMP, DOC, JPG, MDB, SAV and XLS.

Unlike earlier variants of the MyDoom worm, this version does not have a "suicide date" at which it stops spreading, and appears to have been signed by its author with the following text:

.-==I am "Irony", made by jxq7==-.