27136 (packed with UPX)
(I-Worm.Mydoom.q (KAV), W32.Mydoom.Q@mm (NAV))
Presence of "winpsd.exe" in %system% (e.g. C:\Windows\System32) folder, in processes list and presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" under the string "winpsd".
Presence of "rasor38a.dll" in %windir% (e.g. C:\Windows) folder, which is a copy of the worm.
IMPORTANT! The tool must be run in Safe Mode in order to detect and clean one or more stealth components of MyDoom worm.
open Task Manaker by pressing CTRL+ALT+DEL select End Process on winpsd.exe delete %system% winpsd.exe and %windows% rasor38a.dll open Registry Editor using +, regedit,
remove this key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winpsd
Automatic removal: let BitDefender disinfect infected files
Ciubotariu Mircea BitDefender Antivirus Researcher
spreads via email, attatched with the name "photos_arc.exe"; the subject of the email is "Photos"; the body is "LOL!;))))" while the sender is spoofed
it avoids sending itself to certain email addresses containing several sub-strings
downloads as "winvpn32.exe" and executes it from the following addresses:
the downloaded file is Backdoor.Surila, a component with stealth capabilities which makes it invisible in processes list and on hard drive
when download of the backdoor component was successful the folowing registry key is added as a marker "HKCU\SOFTWARE\Microsoft\Internet Explorer\InstaledFlashhMX" set to "1"
checks the mutex "43jfds93872" in order to avoid reinfection
copies itself to "%system%\winpsd.exe" and "%windows%\rasor38a.dll"
adds to the start up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" the string "winpsd" which points to "%system%\winpsd.exe"