Alias: W32/Mydoom.H@mm (F-Secure)
Category: Win32
Type: Worm
Published Date: 3/3/2004
Last Modified: 3/3/2004

CHARACTERISTICS
Win32/MyDoom.H.Worm is a worm that spreads via e-mail and by infecting files. The worm has been distributed as a 32,768-byte, UPX-packed Win32 executable.


Method of Installation

When executed, it drops a copy of itself in the %System% directory with a randomly generated filename and modifies the registry in order to run at the next system re-start for example:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ahgxseio = "%System%\Kmkics.exe"

The worm also drops a DLL file into the %System% directory. This DLL file is of random name and of variable length. The DLL file is the backdoor component of the worm and it registers itself by modifying the following registry entries (dll name may change and is only an example):

HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\(Default) = "%System%\Inhw.dll"
HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(Default) = "%System%\Lqq.dll"
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\(Default) = "%System%\Lqq.dll

More: http://www3.ca.com/virusinfo/virus.aspx?ID=38481