Virus Profile: W32/Mydoom.av@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/25/2005
Date Added: 1/25/2005
Origin: Unknown
Length: 32,768 bytes (UPXed)
Type: Virus
Subtype: E-mail worm
DAT Required: 4390
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existence of the files and Registry keys detailed here.
  • Copies of the worm with the enticing filenames used for P2P propagation.
  • Local HOSTS file overwritten as detailed here.
  • When run, a garbage text file is opened and displayed in Notepad
  • the worm will remove Registry key data for other worms from the Registry

Methods of Infection


The worm installs itself into the Windows system directory as LSASRV.EXE, for example:


The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    Run "lsass" = %SysDir%\LSASRV.EXE

Additionally, the following value:

  • "Shell" = "explorer.exe %SysDir%\LSASRV.EXE"

is added to the following key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT

Mail Propagation

The mail propagation of this variant is very similar to previous Mydoom variants:

  • email addresses are harvested from the victim machine
  • From: address is spoofed using forenames and domains carried in the worm's body
  • email addresses containing certain strings are excluded from the mailing
  • the worm attaches itself to outgoing mails with one of the following filenames:
    • body
    • message
    • docs
    • file
    • rules
    • doc
    • readme
    • document
  • the attachment will have one of the following extensions:
    • zip
    • scr
    • pif
    • exe
    • cmd
    • bat

Overwriting local HOSTS file

The local hosts file is modified such that connection to the a number of domains for the updating of various anti-virus products is redirected to localhost (

Aliases (AVP), W32.Mydoom.AM@mm (Symantec), W32/MyDoom-AM (Sophos), W32/Mydoom.AN@mm (Frisk), WORM_MYDOOM.AM (Trend)

Virus Characteristics

A new variant of W32/Mydoom has been discovered. This variant is proactively detected as W32/Mydoom.gen@MM by McAfee products running the 4390 DATs or greater (release date: Sep 8th 2004).

This variant bears the following characteristics:

  • mails itself to target email addresses harvested from the victim machine
  • constructs outgoing messages using its own SMTP engine
  • spoofs the From: address on outgoing messages
  • attempts to propagate through popular P2P networks by copying itself with enticing filenames
  • terminates various processes (AV and security related)
  • modifies the local HOSTS file to disable the updating of security products

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!