A new variant of MyDoom worm - Mydoom.F was found on February 20th, 2004 It is functionally similar to the original variant but it does not attack www.sco.com. Mydoom.F tries to perform a Distributed Denial-of-Service attack on www.microsoft.com and also www.riaa.com. Mydoom.A description is available at Novarg; the Mydoom.B description is available at Mydoom.B.
If the infection is in a local network, please follow the instructions on this webpage:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
When copying itself, the worm will overwrite part of its executable with random data. Starting from 28000 bytes from its beginning it will write a 1 kB chunk of random data, making the file seem variable.
Some of the strings are scrambled using the same method as in the original Mydoom, ROT13.
It will add an entry in the registry in:
or, if failed in
containing: = %sysdir%\.exe
The worm will compose emails with the following characteristics.
Subjects from the list:
(Some of these are also used by the Sober.C worm)
Message body is selected from:
Attachment names will be chosen from:
And one of the following extensions will be appended:
In addition to the Distributed Denial-of-Service attack the worm tries to delete several file types from the victim's hard drive such as pictures, movies and MS Office documents.
The worm's code in charge of that is the same that harvests email addresses. It will check every drive from 'C' to 'Z', and for each of the folders on those, it will go through each file, performing the following actions:
The worm will delete the files with a given probability, so only a given percentage of the occasions certain types of files will be deleted. The following table gives those percentages:
Once the scan of the machine and its drives is finished, it will sleep for 32 seconds and start again.
This variant, as the previous ones, also drops a backdoor listening in port 1080.