W32/MyDoom.BI@mm

Drops the following clean files to the System folder:

• version.ini
• hserv.exe
• Mes#wtelw

Registry Modification

Adds the value
lsass = "undefinedSYSTEMundefined\lsasrv.exe", where undefinedSYSTEMundefined refers to the System folder
to the registry subkeys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Adds the following registry subkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellSmash

Adds the value
Shell = "explorer.exe undefinedSYSTEMundefined\lsasrv.exe", where undefinedSYSTEMundefined refers to the System folder
to the registry subkeys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

Email Propagation

• .gov
• .mil
• account
• acketst
• admin
• anyone
• arc
• arin.
• avp
• berkley
• borlan
• bsd
• bugs
• ca
• certific
• contact
• example
• feste
  

 From: any of various names, such as:

• Abdulrazak
• Ackerman
• Adams
• Addison
• Adelstein
• Adibe
• Adorno
• Ahlers
• Alavi
• Alcorn
• Aleks
• Allison
• Alongi
• Altavilla
• Altenberger
• Altenhofen
• Amaral
• Amatangelo
  

 Subject: can be empty or any of the following:

• Attention!!!
• Do not reply to this email
• Error
• Good day
• hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status
  

 Message body: any of various statements, such as:

• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.
• Bad Gateway: The message has been attached.
  

 Attachment name: [Filename].[Extension]
  [Filename] can be any of the following:

• body
• message
• docs
• data
• file
• rules
• doc
• readme
• document
  

• bat
• cmd
• exe
• pif
• scr
• zip
  

Peer-to-peer Propagation

• Kazaa
• Morpheus
• iMesh
• eDonkey
• LimeWire
  

• porno
• NeroBROM6.3.1.27
• avpprokey
• Ad-awareref01R349
• winxp_patch
• adultpasswds
• dcom_patches
• K-LiteCodecPack2.34a
• activation_crack
• icq2004-final
• winamp5
  

Backdoor/Trojan Behavior

Blocks access to the following security-related websites:

• www.symantec.com
• securityresponse.symantec.com
• symantec.com
• www.sophos.com
• sophos.com
• www.mcafee.com
• mcafee.com
• liveupdate.symantecliveupdate.com
• www.viruslist.com
• viruslist.com
• www.f-secure.com
• f-secure.com
• kaspersky.com
• kaspersky-labs.com
• www.avp.com
• avp.com
• www.kaspersky.com
• www.networkassociates.com
• networkassociates.com
• www.ca.comca.com
• mast.mcafee.com
• www.my-etrust.com
• my-etrust.com
• download.mcafee.com
• dispatch.mcafee.com
• secure.nai.com
• www.nai.com
• nai.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• liveupdate.symantec.com
• customer.symantec.com
• rads.mcafee.com
• www.trendmicro.com
• trendmicro.com
• www.grisoft.com
• grisoft.com
  

Attempts to kill the following processes:

• bbeagle.exe
• d3dupdate.exe
• i11r54n4.exe
• irun4.exe
• msblast.exe
• msblast.exe
• mscvb32.exe
• navapw32.exe
• navw32.exe
• netstat.exe
• outpost.exe
• pandaavengine.exe
• penis32.exe
• rate.exe
• ssate.exe
• sysinfo.exe
• sysmonxp.exe
• taskmon.exe
• teekids.exe
• wincfg32.exe
• winsys.exe
• winupd.exe
• zapro.exe
• zonealarm.exe