My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


27136 (packed with UPX)
(I-Worm.Mydoom.q (KAV), W32.Mydoom.Q@mm (NAV))


Presence of "winpsd.exe" in %system% (e.g. C:\Windows\System32) folder, in processes list and presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" under the string "winpsd".

Presence of "rasor38a.dll" in %windir% (e.g. C:\Windows) folder, which is a copy of the worm.

Removal instructions:

IMPORTANT! The tool must be run in Safe Mode in order to detect and clean one or more stealth components of MyDoom worm.

Manual removal:
open Task Manaker by pressing CTRL+ALT+DEL select End Process on winpsd.exe delete %system% winpsd.exe and %windows% rasor38a.dll open Registry Editor using +, regedit,
remove this key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winpsd

Automatic removal: let BitDefender disinfect infected files

Analyzed By

Ciubotariu Mircea BitDefender Antivirus Researcher

Technical Description:

  • spreads via email, attatched with the name "photos_arc.exe"; the subject of the email is "Photos"; the body is "LOL!;))))" while the sender is spoofed

  • it avoids sending itself to certain email addresses containing several sub-strings

  • downloads as "winvpn32.exe" and executes it from the following addresses:

  • the downloaded file is Backdoor.Surila, a component with stealth capabilities which makes it invisible in processes list and on hard drive

  • when download of the backdoor component was successful the folowing registry key is added as a marker "HKCU\SOFTWARE\Microsoft\Internet Explorer\InstaledFlashhMX" set to "1"

  • checks the mutex "43jfds93872" in order to avoid reinfection

  • copies itself to "%system%\winpsd.exe" and "%windows%\rasor38a.dll"

  • adds to the start up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" the string "winpsd" which points to "%system%\winpsd.exe"