The Web    Google
8/17: Mydoom-T Copies Itself in Emails

8/17: Mydoom-T Copies Itself in Emails
August 17, 2004

Win32/MyDoom.T is a worm spreading via e-mail. Its size is 27136 bytes, the file is packed by UPX. Then a Registry entry called 'winpsd' under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run or
HKLM\Software\Microsoft\Windows\CurrentVersion\Run is created. The values of these keys point to winpsd.exe, the executable of Win32/MyDoom. The worm creates another Registry keys, HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\.

Win32MyDoom.T sends copies of itself in e-mail messages. It is able to read Windows Internet settings to find out what SMTP server to use for outgoing mail. E-mail addresses are searched for in files on infected computer having one of the extensions:


The worm contains a long list of substrings it matches against the harvested addresses, and avoids sending itself to an address containing some of them.

Sender of the meeage sent by Win32/MyDoom.T is spoofed. Its subject is "photos", the body is "LOL!;))))". The message carries an attachment called "photos_arc.exe".

More information is at Eset page.

  • 6/8: Trojan.Dingsta.A Logs Keystrokes
  • Gates Sends Letter on Spam to Congress
  • 3/8: Kelvir-D an IM Worm
  • Enforcer 3.1 Bars Unsanctioned IM, P2P Access
  • Hackers After Patched WINS Servers
  • New Tool Helps Ensure Users Employ Strong Passwords
  • Virus Alert: Worm Uses Own SMTP Engine to Spread
  • 'Critical' Windows Hijack Flaw Reported
  • China Backs Down on WAPI Deadline
  • 1/5: Rbot-SQ Worm Has Backdoor Abilities
  • 5/3: SymbOS/Locknut-C Infects Handsets
  • Security Camera Related Information