International English version Traditional Chinese version
Domain Registration with Web HostingWeb site Hosting with Various supportRegistrar Transfer with Web Hosting
Released: January 29, 2004

Description of the W32.Mydoom.B@mm worm

W32.Mydoom.B@mm is a new variant of the W32.Mydoom@mm worm. This new worm also spreads itself through email and the Kazaa network. It spoofs its' sender email address and contains a random named attachment with file extensions including .zip, .bat, .scr, .bat, .exe, .cmd, .pif. For detail description of format of the email attachment, please refer to table below.

From Spoofed email addresses or even your own address
Subject Random (may contained the following subjects) like: Returned mail / Delivery Error / Status / Server Report / Mail Transaction Failed / Mail Delivery System / hello / hi
Body May contain the following message:

sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received.

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message contains MIME-encoded graphics and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment File with the following extensions:
.zip, .bat, .scr, .bat, .exe, .cmd, .pif

Once the attachment is extracted and run by the recipient, the worm will copy itself to the Windows system folder as "explorer.exe" and creates a startup key in the system registry:

"Explorer" = %sysdir%\explorer.exe


"Explorer" = %sysdir%\explorer.exe

The worm may also displays the following error dialog box:

or opens the Window's Notepad with nonsense characters. The worm creates remote access capabilities by listening TCP to port 80, 1080, 3128, 8080 or 10080. The worm also launches DDoS-attack against both and The attack will end only after March 1, 2004. Thereafter, it stops performing most of its routines, except for its backdoor functionalities.

Known aliases

Please note that the W32.Mydoom@mm worm is also known by other names. Including Mydoom.B, W32/Mydoom.b@MM, WORM_MYDOOM.B, Win32.Mydoom.B, I-Worm.Mydoom.b, and W32/MyDoom-B.

Payload of the email worm

The worm sends itself to e-mail addresses collected from local files with the following extensions: wab, adb, dbx, php, tbb, asp, sht, htm, and txt. It performs DDoS_attack specifically to and, the Kazaa (peer-to-peer file sharing application) propagation. And it sequentially open ports 80, 1080, 3128 or 10080 and listen for incoming back-door connections. If anti-virus gateway is configured to send notification messages to the sender address, the spoofed email address is spammed. The worm then overwrites the HOSTS file to prevent the infected machine from accessing the following sites (including some well-known anti-virus Web sites):,,,,,,, and

Look for cure

New virus definition is available from the following anti-virus vendors to detect and remove this virus. Please click on the names of the following anti-virus companies to go to their respective Web sites.

Computer Associates | F-secure | McAfee | Symantec

Note: Please follow the instruction of your Anti-virus vendor to remove the virus and repair your system.

Avoid the notification storm

Avoid the notification email storm caused by anti-virus gateway. To avoid the email storm caused by anti-virus gateway generating huge amount of notification messages, you might want to disable the notification message to sender temporarily. This could be resumed when the peak of the worm attack is well past.

More information

Computer Associates | F-Secure | McAfee | Network Box | Norman | Sophos | Symantec | Trend Micro

multiple names | IDNs or multilinguals 

Home | Support | Check | Host | Transfer | Whois | More Technology Services

© 1996-2008 Wyith Ltd dba All rights reserved.

Canada | USA | UK | Belgium | Italy | Hongkong | Singapore