This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe. A registry run key is created to load the virus at system startup, such as:
CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe
Other registry keys are also created:
The worm contains a list of IRC servers, which it attempts to connect to on TCP port 6667:
Methods of Infection
Like other Mydoom variants, this virus harvests email addresses from the local system, creates addresses by combining common names carried within the virus body with harvested domain names, and spams those addresses with email messages. It also avoids addresses containing specific letters or words. Unlike earlier variants, the infectious messages do not contain an attachment, but rather a hyperlink directing people to an infected machine. Following the hyperlink results in an infection occurring on the target victim's system, if they are running a vulnerable Microsoft Internet Explorer web browser.
Through a buffer overflow, the virus downloads and executes the main virus component. This component injects itself into the EXPLORER.EXE process and creates six threads to carry out various tasks. Even if the main executable file is terminated and deleted, these threads in EXPLORER.EXE must be suspended/terminated in order for propagation to stop. The specified DAT files contain repair to both terminate the running virus process as well as the spawned explorer.exe threads.
Bofra, W32.Mydoom.AH@mm (Symantec), Win32/Mydoom.AH@mm (RAV)