W32/Mydoom.bm@MM is a mass mailing worm that uses its own SMTP engine to propagate. It also spreads via Peer-to-Peer network shares. W32/Mydoom.bm@MM opens a proxy, logs keystrokes and steals passwords from infected machines.
Upon execution, it opens notepad.exe and displays the following message:
Creates a copy of itself into the windows system directory as:
Additionally drops the following files to aid in its proxy and password stealing routine:
%WINDIR%\%SYSDIR%\wxapi.dll (detected as Proxy-Prodoom)
%WINDIR%\%SYSDIR%\svch0st.exe (detected as PWS-Banker.p)
Adds the following values to the registry to auto start itself when Windows starts:
"WINLOG0N" = "%WINDIR%\%SYSDIR%\WINLOG0N.EXE"
"Systems" = "%WINDIR%\%SYSDIR%\svch0st.exe"
Adds the following registry values to register the proxy component:
"(Default)" = "%WINDIR%\%SYSDIR%\wxapi.dll"
Queries the following registry value and copies itself to Kazaa's peer-to-peer file sharing folder:
using the following file names:
With any of the following file extensions:
W32/Mydoom.bm@MM opens a proxy on TCP port 5204 using "wxapi.dll".
"svch0st.exe" logs the keystrokes and monitors visited urls for certain bank sites.