FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Win32.HLLM.MyDoom.1432

Added to the Dr.Web virus database: 2013-12-13

Virus description added: 2013-12-20

Technical Information

Malicious functions:

Creates and executes the following:

'%APPDATA%\GOBSV\DVRYG.exe' %APPDATA%\GOBSV\XVICR
'%APPDATA%\GOBSV\DVRYG.exe' %APPDATA%\GOBSV\KLFES

Executes the following:

'%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe'
'<SYSTEM32>\wscript.exe' "%APPDATA%\GOBSV\35XD.vbe"

Injects code into

the following system processes:

%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Modifies file system :

Creates the following files:

%APPDATA%\GOBSV\XVICR
%APPDATA%\GOBSV\DVRYG.exe
%TEMP%\2EF67.dmp
%TEMP%\dw.log
%APPDATA%\GOBSV\35XD.vbe
%APPDATA%\GOBSV\QITSQ
%APPDATA%\GOBSV\UBSRF
%APPDATA%\GOBSV\KLFES
%APPDATA%\GOBSV\YMQGIX

Sets the 'hidden' attribute to the following files:

%APPDATA%\GOBSV\KLFES

Deletes the following files:

%APPDATA%\GOBSV\DVRYG.exe

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'EDIT' WindowName: '(null)'