MyDoom.E worm variant appeared on 16th of February 2004. It is functionally similar to previous variants. Like previous variants it spreads in email, Kazaa peer-to-peer network, drops a backdoor and attacks www.sco.com website.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
MyDoom.E worm's file is a PE executable 24576 bytes long compressed with UPX file compressor. The unpacked file's size is over 35 kilobytes.
The worm's lifespan is from 16:09:18 UTC on 10.02.2004 to 2:28:57 UTC on 14.02.2006. If current date is out of this range, the worm doesn't start its replication and payload routines.
When the worm's file is run, it creates a separate thread that generates garbage data file and then opens it with Notepad. Then this thread terminates.
After that the worm drops SHIMGAPI.DLL file into Windows System folder. This file is a backdoor (hacker's remote access) component. It is started as a thread of Explorer from the following Registry key:
Finally the worm installs itself to system. It copies itself as TASKMON.EXE file to Windows System directory and creates a startup key for this file in the Registry:
where %winsysdir% represents Windows System directory name.
The worm spreads itself in email messages. To locate email addresses to spread to, the worm reads Address Book file name from the Registry:
Then it browses through the Address Book file and collects email addresses from there. Additionally the worm looks for email addresses in files with the following extensions:
The worm avoids using email addresses that contain the following substrings:
The worm fakes the sender's email address. It composes email addresses from 2 parts: user name and domain name. Here is the list of user names that the worm uses:
Here is the list of domain names that the worm uses:
The subject for the infected message is selected from the following variants:
The body of the infected message can contain one of the following:
The attachment name can be one of the following:
The attachment can have 2 extensions. In such case the first extension can be:
And the second or the only extension can be:
The worm can also send itseld inside a ZIP archive.
The worm spreads itself in Kazaa file sharing network. When it locates Kazaa shared folder, it copies itself there with one of the following names:
The following extensions are used for the copied file:
Like its previous variants, MyDoom.E worm tries to perform a DoS (Denial of Service) attack on www.sco.com website. During the attack the worm bombards the website with numerous GET / HTTP requests.
Also the worm drops a backdoor that starts as a thread of Explorer and listens to port 3127 for commands from remote hackers.