Showing results for 
Search instead for 
Did you mean: 

W32/Mydoom.F Spreading Moderately; Payload, Details of


W32/Mydoom.F Spreading Moderately; Payload, Details of

W32/Mydoom.F Spreading Moderately; Payload, Not Infection Rate Causing Concern

MessageLabs, the leading provider of managed email security services to businesses, has intercepted a total of 271,240 copies of W32.Mydoom.F since the virus emerged on February 19th, 2004. Since its release, the virus appears to have peaked in number on Tuesday, with 115,772 copies intercepted by MessageLabs.

Name: W32/Mydoom.F-mm
Number of copies intercepted so far: 271, 240
Time & date first captured: Feb 19, 2004; 18:15 GMT
Origin of first intercepted copy: UK


Mydoom.F is a mass-mailing worm similar in makeup to previous Mydoom variants.

Designed to perform a distributed Denial-of-Service attack on the same as earlier Mydooms, this variant also includes instructions to launch a DDoS against the Recording Industry Association of America’s web site at

The worm also tries to delete several file types from infected hard drives, including pictures, movies and MS Office documents and can harvest e-mail addresses from files. Files with the following extensions will be searched for and when found the virus will attempt to extract e-mail address contained within them:

· .txt
· .htm
· .sht
· .php
· .asp
· .dbx
· .tbb
· .adb
· .eml
· .pl
· .msg
· .vbs
· .mht
· .oft
· .uin
· .rtf
· .ods
· .mmf
· .nch
· .mbx
· .wab
· .mdb

After harvesting the email addresses, the worm will then index extensions for six file types and randomly delete files with those extensions with varying success rates:

· .doc
· .xls
· .sav
· .jpg
· .avi
· .bmp

This variant, as the previous ones, drops a backdoor listening in port 1080.

Email Characteristics

From: Random, spoofed email address
Subject: Random
Text: Various
Size: 34,568 bytes