Upon infection, MyDoom.O (a.k.a. MyDoom.M) drops the following files:
- zincite.log
services.exe
java.exe
It drops these files to the Windows directory (i.e. C:\Windows) and modifies the registry to load when Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"JavaVM"="C:\Windows\java.exe
The services.exe file dropped to the Windows directory is a backdoor access component of MyDoom.O. The backdoor listens on port 1034 and also scans random IP addresses searching for other infected MyDoom.O systems.
As is common with many email worms, MyDoom.O avoids sending itself to certain addresses and certain domains. It harvests email addresses from the Windows Address Book, from pages cached in the Temporary Internet Files folder, and from a range of file types found on fixed drives.
In addition to collecting email addresses from the local system to use to send itself, the MyDoom.O worm also searches for more addresses at any domain it finds. The worm does this by querying Altavista, Google, Lycos, and Yahoo. The increased traffic resulted in something of a denial of service attack to Google during the height of the worm's spread. The other search engines targeted appeared not to be affected by the increased traffic.
MyDoom.O uses its own SMTP engine to spread. Email characteristics are described on page 1 of this description.
