A new variant of MyDoom worm - Mydoom.AF, was found on October 27th, 2004. The worm is similar to previous variants.Note: Mydoom.AG was renamed to Mydoom.AF on 9th of November, 2004.
If the infection is in a local network, please follow the instructions on this webpage:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
The worm is a PE executable file 31744 bytes long packed with UPX file compressor. The unpacked file's size is 73728 bytes.
Upon installation the worm copies itself as 'lsasrv.exe' file to Windows System Directory and creates a startup key for that file in System Registry:
where "%WinSysDir%" represents Windows System directory. If the startup key cal not be created in HKLM (local machine) Registry tree, it is created in HKCU (current user) tree.
The worm spreads by sending its infected attachment to all email addresses found on an infected computer. The worm looks for email addresses in Windows Address Book and in the files with the following extensions:
The worm avoids sending emails to email addresses that contain any of the following substrings:
The worm modifies the HOSTS file to block access to the following websites: