A new variant of MyDoom worm - Mydoom.U, was found on September 9th, 2004. This worm variant is similar to previous ones. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
If the infection is in a local network, please follow the instructions on this webpage:
The worm is a PE ( Portable Executable) file 18200 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.
When run, the worm creates a mutex 'qwedefacedRDE', copies itself as WINSPF32.EXE to Windows System Directory and creates a startup key for that file in System Registry:
where %WinSysDir% represents Windows System directory.
Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as RX32HH00.EXE file.
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
The subject of infected e-mails is selected from the following variants:
The body of infected e-mails is selected from the following variants:
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
The worm can also attach a fake virus scan report to its message:+++ Attachment: No Virus found +++
where the antivirus mentioned can be any of the following:
The worm fakes the sender's address and uses the following list of first names to compose the fake address:
It uses the following list of last names to compose the fake address:
It uses the following list of domain names to compose the fake address:
The worm downloads a backdoor from one of the websites and activates it. The backdoor is known as 'Surila.I' or 'BackDoor-CEB.c' and is downloaded from the following websites:
After September 20th, 2004, 01:18:31 the worm stops working and deletes its file from the hard drive.