Virus Profile: W32/Mydoom.r@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/9/2004
Date Added: 8/9/2004
Origin: Unknown
Length: 17,408 bytes
Type: Virus
Subtype: Email Worm
DAT Required: 4379
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The virus may attempt to download a file (DSC00173.jpg ) from the following remote server via HTTP (Note: spaces inserted):

  • h t t p://

Methods of Infection

This worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed.


W32/MyDoom-R (Sophos)

Virus Characteristics

This new variant bears the following characteristics:

  • contains its own SMTP engine for constructing messages
  • harvests target email addresses from the victim machine
  • forges the From: header of outgoing messages
  • downloads a file from a remote server (see below)

Proactive Detection
This variant is detected as W32/Mydoom.gen@MM with the 4379 DATs (release date: Jul 19th 2004) or higher (with the scanning of compressed files enabled - default setting).

At the time of writing, the remote file this virus may download was 99,840 bytes in size. The file is detected as MultiDropper-KT trojan with the 4376 DATs or higher, with scanning of compressed files enabled).

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!