MyDoom arrives via e-mail and has a randomized senders address and subject line. The body of the message varies, but purports to be an error message, such as: "The message cannot be represented in 7-bit ASCII and has been sent as a binary attachment."
The file attachment is often in a ZIP archive format and can have any one of a number of file extensions, including .exe, .pif and .scr. The icon for the attachment looks like the one used for text messages in Windows.
Once the user runs the attached file, the worm copies itself to the machine in the following manner:
- c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
One IT manager said he was now blocking all ZIP attachements to limit the spread of MyDoom.
MyDoom also copies itself to the registry in Windows so that it executes at startup, according to a preliminary analysis by Network Associates Inc.s McAfee Security unit. The worm also opens Port 3127 and begins listening for instructions from a remote host.
Much of the data in the worms code is encrypted, anti-virus experts said, making analysis of the worm much more difficult. Some users reported receiving as many as 100 copies of the worm in a 30-minute span on Monday afternoon.