Virus Profile
Virus Information
Name: W32/Mydoom@MM
Risk Assessment  
  - Home Users: High-Outbreak
  - Corporate Users: High-Outbreak
Date Discovered: 1/26/2004
Date Added: 1/26/2004
Origin: Unknown
Length: 22,528 bytes
Type: Virus
SubType: E-mail
DAT Required: 4319
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Buy or Update
New Users Get Protected Now:
Buy VirusScan
Update VirusScan
Virus Characteristics Back to Top

This is a mass-mailing worm that arrives in an email message as follows:

From: (spoofed)
Subject: (Random)
Body:  (Varies, such as) 

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.

Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

The icon used by the file tries to make it appear as if the attachment is a text file

When this file is run it copies itself to the local system with the following filenames:

  •  c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
  •  %SysDir%\taskmon.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It also uses a DLL that it creates in the Windows System directory:

It also uses a DLL that it creates in the Windows System directory:

  •  %SysDir%\shimgapi.dll (4,096 bytes)

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The worm opens a connection on TCP port 3127 suggesting remote access capabilities.

AVERT is currently analyzing this the threat.  Details will be posted, as they are available.

Indications of Infection Back to Top
  • Upon executing the virus, Notepad is opened, filled with nonsense characters.
  • Existence of the files and registry entry listed above
Method of Infection Back to Top

This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • txt

Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.

Removal Instructions Back to Top

The following EXTRA.DAT packages are available.

Aliases Back to Top
Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32/Shimg (CA), WORM_MIMAIL.R (Trend)