Win32:Mydoom-M

is another mass mailing worm. It spreads by sending infected e-mails. It fakes the sender of the infected mail address. It also drops a trojan horse on infected computer.

Win32:Mydoom-M cannot execute automatically, a user has to execute it manually in order to get infected. The worm tries to persuade the user to run it by an english message in the mail body. The message either says there is returned undelirevable mail in the attachment, or says the technical support of the domain spot the users computer sends lots of infected mails and there are some instruction for repair in the attachment.

Being executed, the worm installs a few executable files on the computer:
%windir%\java.exe (a copy of itself)
%windir%\services.exe (a trojan horse)

The both files are automatically executed at Windows start by the registry items "JavaVM" and "Services" in the key HKCU\ Software\ Microsoft\ Windows\ CurrentVersion\ Run.

The worm sends itself to the addresses found in the files with extensions "doc","htm", "html" and "txt" and in the addressbooks. The From field holds faked address. In the Subject field is one of the following texts:

delivery failed
Delivery reports about your e-mail
error
hello
hi
Mail System Error - Returned Mail
MESSAGE COULD NOT BE DELIVERED
report
Returned mail: Data format error
Returned mail: see transcript for details
status
test
The Subject field also might be empty or it might hold short string of random letters.

The attachment can have one of the extensions "bat","cmd","com","exe","pif","scr","zip". In the "zip" files the compression isn’t used.

The virus sends sometimes a ZIP file which contains single short file full of garbage.

avast! with VPS file dated on or after 26th July 2004 is able to detect this worm.