MyDoom E-Mail Worm Spreading Quickly

UPDATED: A Windows worm known as MyDoom began spreading Monday at a furious rate on the Internet. And it's continued at such a pace that anti-virus companies are calling it the fastest-moving virus they've ever

A fast-moving Windows worm known as MyDoom on Monday began spreading at a furious rate on the Internet.

MyDoom arrives via e-mail and has a randomized senders address and subject line. The body of the message varies, but purports to be an error message, such as: "The message cannot be represented in 7-bit ASCII and has been sent as a binary attachment."

/zimages/1/28571.gifFor tips from PC Magazine on blocking and removing MyDoom, click here.

The file attachment is often in a ZIP archive format and can have any one of a number of file extensions, including .exe, .pif and .scr. The icon for the attachment looks like the one used for text messages in Windows.

Once the user runs the attached file, the worm copies itself to the machine in the following manner:

  • c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
  • c:\WINDOWS\Desktop\Document.scr
  • c:\WINDOWS\SYSTEM\taskmon.exe

One IT manager said he was now blocking all ZIP attachements to limit the spread of MyDoom.

MyDoom also copies itself to the registry in Windows so that it executes at startup, according to a preliminary analysis by Network Associates Inc.s McAfee Security unit. The worm also opens Port 3127 and begins listening for instructions from a remote host.

Much of the data in the worms code is encrypted, anti-virus experts said, making analysis of the worm much more difficult. Some users reported receiving as many as 100 copies of the worm in a 30-minute span on Monday afternoon.

Next page: MyDoom infecting one of 12 e-mails.