A new variant of the MyDoom worm was found on July 19th, 2004 It is similar to previous variants. It spreads through email and copies itself to folders used by FTP and P2P software.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The executable is packed with unmodified UPX.
When executed it will copy itself to:
Where %windir% is the main Windows folder.
And create the following registry key.
or
and sets the value:
The emails sent by Mydoom.L will contain one of the following subjects:
It may also compose the subject randomly.
Message bodies are chosen from:
The original message was included as attachment This Message was undeliverable due to the following reason: Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [text filled by the worm] days: Host $i is not responding. The following recipients did not receive this message: [text filled by the worm] Please reply to postmaster@[text filled by the worm] if you feel this message to be in error. The original message was received at [text filled by the worm] from [text filled by the worm] ----- The following addresses had permanent fatal errors ----- [text filled by the worm] ----- Transcript of session follows ----- while talking to [text filled by the worm].: MAIL From:[text filled by the worm] 501 [text filled by the worm]... Refused The original message was received at $w from [text filled by the worm] ----- The following addresses had permanent fatal errors ----- [text filled by the worm]
The attachment filename will be composed from combining the any of the following filenames:
and the following extensions:
It can also send ZIP files containing the worm. In that case the file inside the ZIP may have a filename resembling an email address or an extension followed by a large number of whitespaces finished with an executable extension.
The worm will look for folder with the following text strings on them:
If any of them are found, it will copy itself inside those folders with names composed from:
And followed by: