MyDoom.G spreads via email. The From address will be spoofed, thus the email does not actually arrive "From" the person depicted in the email. Spoofing the From address can result in erroneous alert messages being sent to innocent parties. These alerts also contribute to the overall worm traffic and can cause additional confusion.
The MyDoom.G email is composed from an extensive range of possible Subjects and Message bodies, making filtering based on content keywords a difficult, if not impossible task, due to the risk of a high rate of false positives.
The email attachment may be a ZIP archive, or it may be one of the following types: .exe, .scr, .com, .pif, .bat, or .cmd. On occasion, MyDoom.G may employ a double extension ruse which could trick some users into opening the file. By default, Windows suppresses executable file extensions, making the double extension ruse possible. To protect against this ruse, ensure file extension viewing is enabled.
MyDoom.G avoids sending itself to email addresses that contain any of the following:
- berkeley
bsd
example.com
fsf.
gnu.
google.
ibm.com
isc.org
isi.edu
kernel.
mit.edu
mozilla.
packetstorm
rfc-edit
rutgers.edu
secur
sendmail.
sf.net
slashdot.
sourceforge
stanford.edu
uci.edu
ucsd.edu
unix
urlon
ymante
If the email attachment is opened, infection will occur. To mask its initial activities, the MyDoom.G worm will often launch the Notepad program, filling the Notepad window with random garbage characters.
MyDoom.G copies itself to the Windows System folder using a randomly created name and a .exe extension. MyDoom.G also creates a .dll file in the Windows System folder, also randomly named. The .dll is a backdoor component that listens on TCP ports 80 and 1080. The backdoor acts as a proxy server and is capable of downloading and executing arbitrary files.
MyDoom.G enumerates via mapped drives c:\ through Z:\, dropping randomly named copies of itself in random folders. The worm also searches certain file types found on these drives, harvesting email addresses to be used in its mass-mailing.
MyDoom.G shuts down the processes associated with various antivirus and security software found running on infected systems. MyDoom.G modifies the registry to allow the worm to launch when Windows is started. Either of the following registry keys may be modified to contain the path and name of the randomly created copy of the worm:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Due to the random nature of the dropped filenames, detecting and removing MyDoom.G is best done with up to date antivirus software.
MyDoom.G appears to have been created in retaliation for the Netsky.C and Netsky.D worms which attempt to disable certain MyDoom variants.
Also see:
