Alias: W32/Mydoom.H@mm (F-Secure)
Category: Win32
Type: Worm
Published Date: 3/3/2004
Last Modified: 3/3/2004
CHARACTERISTICS
Win32/MyDoom.H.Worm is a worm that spreads via e-mail and by infecting files. The worm has been distributed as a 32,768-byte, UPX-packed Win32 executable.
Method of Installation
When executed, it drops a copy of itself in the %System% directory with a randomly generated filename and modifies the registry in order to run at the next system re-start for example:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ahgxseio = "%System%\Kmkics.exe"
The worm also drops a DLL file into the %System% directory. This DLL file is of random name and of variable length. The DLL file is the backdoor component of the worm and it registers itself by modifying the following registry entries (dll name may change and is only an example):
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(Default) = "%System%\Lqq.dll"
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\(Default) = "%System%\Lqq.dll
More: http://www3.ca.com/virusinfo/virus.aspx?ID=38481
Aliases
I-Worm.Mydoom.g, W32.Mydoom.G@mm
Type
Win32 worm
Description
A detailed analysis of W32/MyDoom-H will be published here shortly. Please check again later.
Hidden inside the W32/MyDoom-H worm's code is the following text, which is never displayed:
to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your ****** app.
http://www.sophos.com/virusinfo/analyses/w32mydoomh.html

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic