W32/Mydoom.E@mm

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"TaskMon" = C:\WINNT\System32\taskmon.exe

The virus writes a compressed 5,632 byte DLL file to the system folder as "shimgapi.dll" and modifies the registry to load at next Windows startup -

HKEY_CLASSES_ROOT\CLSID\
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
"(Default)" = C:\WINNT\System32\shimgapi.dll

* original value was undefinedSystemRootundefined\System32\webcheck.dll

The .DLL file opens TCP port 3127 and loads as a server component - it contains instructions which could download and run files from the Internet if a specific byte sequence is received

The virus will begin searching for target email addresses on the target system - during email composition to a target address, the virus can create either a valid email address, or a created one, using an internal list of possible names such as the following -

adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

The virus will avoid using emails which contain portions of the following strings in the email address -

accoun
admin
anyone
bugs
ca
certific
contact
feste
gold-certs
help
icrosoft
info
listserv
me
no
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
webmaster
you
your
.edu
.gov
.mil
abuse
acketst
arin.
avp
berkeley
borlan
bsd
example
fcnz
fido
foo.
fsf.
gnu
google
gov.
hotmail
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
msn.
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
spm
syma
tanford.e
the.bat
unix
usenet
utgers.ed
www

The virus will search for email addresses in files with these extensions, and the Windows address book -

.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt

The virus will construct an email message in a method that could trick the recipient into opening the attached file, out of curiosity - the message body is variable, and suggests that the actual text of the original email is in the file attachment

Emails will contain a spoofed "From" field, and random subject lines, and other specific properties -

Body text choices:
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- test

Attachment file names are variable and could be in any of the following file formats -

ZIP
SCR
PIF
EXE
BAT
CMD

The size of ZIP file attachments is not static due to the ZIP header containing the name of the enclosed file; the enclosed file name will be different among replications - the enclosed virus file size will be the same however, at 22,528 bytes

In some cases, the .ZIP attachment will contain a file with a double extension such as ".rtf [ many spaces ] .scr"

The virus will attempt to copy itself to the shared folder for Kazaa, a peer-to-peer file sharing application - commonly the folder name is

c:\Program Files\Kazaa\My Shared Folder\

The files created could be any of the following -

nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5

The extension is randomly assigned among these - .bat, .exe, .scr, or .pif such as "nuke2004.bat" or "rootkitXP.scr"

The virus contains a system date check routine which verifies that the year is at least 2004, and the system date is not more than February 14, 2006 - if these conditions are met, then the virus will start a denial-of-service attack against the web address 'www.sco.com' using a simple GET request - the DoS attack will be persistent and occur once every 1024 milliseconds