8/17: Mydoom-T Copies Itself in Emails
August 17, 2004

Win32/MyDoom.T is a worm spreading via e-mail. Its size is 27136 bytes, the file is packed by UPX. Then a Registry entry called 'winpsd' under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run or
HKLM\Software\Microsoft\Windows\CurrentVersion\Run is created. The values of these keys point to winpsd.exe, the executable of Win32/MyDoom. The worm creates another Registry keys, HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\.

Win32MyDoom.T sends copies of itself in e-mail messages. It is able to read Windows Internet settings to find out what SMTP server to use for outgoing mail. E-mail addresses are searched for in files on infected computer having one of the extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
txt
wab

The worm contains a long list of substrings it matches against the harvested addresses, and avoids sending itself to an address containing some of them.

Sender of the meeage sent by Win32/MyDoom.T is spoofed. Its subject is "photos", the body is "LOL!;))))". The message carries an attachment called "photos_arc.exe".

More information is at Eset page.