The Web    Google
10/20: Mydoom-AA Worm Spreads Via Email

10/20: Mydoom-AA Worm Spreads Via Email
October 20, 2004

Worm_MydoomAA, like earlier Mydoom variants, mainly spreads via email. The email message it sends out has varying subjects, message bodies and attachment names, some examples of which are as follows:


  • Announcement
  • Details
  • Document
  • Fw:Document
  • Fw:Important

    Message bodies

  • Check the attached document.
  • Daily Report.
  • Details are in the attached document.
  • here is the document.
  • Important Information.


  • archive.doc
  • attachment.doc
  • check.doc
  • data.doc
  • document.doc

    This worm harvests target email addresses from certain files found in specific Local Settings\Temporary Internet Files subfolders. It noticeably avoids sending email to addresses that contain certain strings.

    This Mydoom worm downloads a malware file detected as WORM_SCRANOR.A from a particular Web site. It also attempts to prevent access to certain antivirus Web sites by modifying the Windows Hosts file.

    Notably, this Mydoom variant has a message strings in its codes that attacks different antivirus companies.

    This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

    Technical details can be found at Trend Micro page.

  • Under the Radar: IM Emerging as a Stealth Threat
  • 2/11: Rbot-VT Worm Has Backdoor Ability
  • 3/25: Clunk-A a Password-Stealing Worm
  • 11/30: SymbOS/Skulls-B is a Trojan
  • 'Critical' Windows Hijack Flaw Reported
  • 4/27: Mytob-CY Worm Arrives as Email Attachment
  • 5/6: Bakaver.A Infects Portable Drives
  • 6/4: Korgo-D Attacks Buffer Overrun
  • 10/1: Spybot-EAS Remotely Controlled
  • Asita, RapidStream offer up high-capacity VPN wares
  • Buffer Overflows Patched in RealPlayer
  • Home Security Camera Background