The Web    Google
8/17: Mydoom-T Copies Itself in Emails

8/17: Mydoom-T Copies Itself in Emails
August 17, 2004

Win32/MyDoom.T is a worm spreading via e-mail. Its size is 27136 bytes, the file is packed by UPX. Then a Registry entry called 'winpsd' under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run or
HKLM\Software\Microsoft\Windows\CurrentVersion\Run is created. The values of these keys point to winpsd.exe, the executable of Win32/MyDoom. The worm creates another Registry keys, HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\.

Win32MyDoom.T sends copies of itself in e-mail messages. It is able to read Windows Internet settings to find out what SMTP server to use for outgoing mail. E-mail addresses are searched for in files on infected computer having one of the extensions:


The worm contains a long list of substrings it matches against the harvested addresses, and avoids sending itself to an address containing some of them.

Sender of the meeage sent by Win32/MyDoom.T is spoofed. Its subject is "photos", the body is "LOL!;))))". The message carries an attachment called "photos_arc.exe".

More information is at Eset page.

  • 6/4: Agobot.300544 a Memory Resident
  • 9/30: Trojan.Duckey Exploits JPEG Flaw
  • 4/29: Bropia-AJ Worm Messages IM Users
  • Too Many Lost Emails Leave us Unconnected
  • Worldwide Security Server Appliance Market Hits $379 Million
  • Bagle-AA Moves Maliciously into 3rd Place
  • Viruses Gearing up For The Smart Set
  • Would Do-Not-Spam List Benefit the Enterprise?
  • 7/12 Atak.A Worm Low Threat but High Traffic
  • 10/21: Rbot-NG Worm Spreads Remotely
  • 11/8: Backdoor.Maxload Attacks Linux, Unix
  • Security Camera Articles