W32/Mydoom.CI Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Mydoom.CI Worm

Information about the W32/Mydoom.CI Worm:

W32/Mydoom.CI is an email worm. This worm is a variant of W32/Mydoom. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Message could not be delivered
delivery failed
report
error
Returned mail: see transcript for details
hello
Mail System Error - Returned Mail
test
Returned mail: Data format error
status

The body of the infected mail can have the following content or minor variations of the same;

Dear user of [Domain]
The message was undeliverab to have a mail system running right now.
Your message was not delivered, the message was included as attachment
The Message could not be delivered

The name of the infected attachment will be any one of the following;

readme
transcript
instruction
mail
letter
file
attachment
document
text
message

The extension of the infected attachment will be any one of the following;

exe
com
scr
cmd
bat
pif

Upon execution, the worm copies itself as java.exe in the Windows Installed folder. The backdoor component of the worm drops services.exe in Windows folder.

It alters the windows registry at the following location to load itself during next startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

txt
htm
doc
html
wab
dbx

The worm queries the domain names of the collected email addresses in the following search engines;

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

The worm mails itself to the collected email addresses using its own SMTP engine. While propagation the worm excludes email addresses having the following strings;

your
you
yahoo
winzip
winrar
uslis
update
trend
the.bat
syma
support
submit
spersk
spam
sourceforge
sophos
someone
soft
site
sf.net
secur
seclist
sarc.
sample
ripe.
rating
rarsoft
privacy
panda
page
ntivi
nothing
not
noone
nobody
msn.
msdn.
microsoft
master
listserv
info
hotmail
help
google
gold-certs
gnu.
gmail
foo.com
feste
example
domain
certific
bugs
bar.
avp
arin.
anyone
admin
accoun
abuse

This worm first appeared on September 26, 2005.

Other names of W32/Mydoom.CI Worm:

This Worm is also known as W32.Mydoom.CI@mm.

Click here to download a 30 day Evaluation Copy of
Protector Plus anti virus software for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2009 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

Special Offer Order Protector Plus Antivirus software Now and get SpamChoke Antispam Software worth $29.95 FREE!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software