A new variant of MyDoom worm - Mydoom.S, was found on August 16th, 2004. The worm spreads like its previous variants.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm's file is a PE executable 27136 bytes long packed with UPX file compressor. The unpacked worm's size is about 53 KiB.
The worm will attempt to download an executable from four different URLs stored within its body, such URLs point to two different sites (www.richcolour.com and zenandjuice.com). These sites were shut down by 18th of August, 2004.
Mydoom copies itself as "winpsd.exe" file to Windows System directory and creates a startup key for the copied file in Windows Registry:
where %WinSysDir% represents Windows System folder. As a result, the worm's file is started every time Windows starts.
The worm creates a mutex named '43jfds93872'.
The email-spreading function will expire on August 20th, 2004. After this the worm should not send emails any more.
The worm spreads in emails. Before spreading it collects email addresses from an infected computer. The worm reads Windows Address Book file, reads files in Temporary Internet Files folders and Windows System folder. Files with the following extensions are checked:
The worm doesn't send itself to email addresses that contain any of the following substrings:
The worm spreads in emails as follows:
The worm fakes the sender's email address. It uses the following user names for the fake email address:
The worm alters the infected computer's hosts file in order to prevent the local user and applications from reaching the Anti-Virus vendors' websites, including f-secure.com and www.f-secure.com.