A new variant of MyDoom worm - Mydoom.AF, was found on October 27th, 2004. The worm is similar to previous variants.Note: Mydoom.AG was renamed to Mydoom.AF on 9th of November, 2004.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
The worm is a PE executable file 31744 bytes long packed with UPX file compressor. The unpacked file's size is 73728 bytes.
Installation to system
Upon installation the worm copies itself as 'lsasrv.exe' file to Windows System Directory and creates a startup key for that file in System Registry:
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lsass" = "%WinSysDir%\lsasrv.exe"
where "%WinSysDir%" represents Windows System directory. If the startup key cal not be created in HKLM (local machine) Registry tree, it is created in HKCU (current user) tree.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
The worm modifies the HOSTS file to block access to the following websites: