Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mydoom.A

Aliases: Novarg, Shimgapi or Shimg

Win32/Mydoom.A (alias Novarg, Shimgapi or Shimg) is a worm spreading in the form of a file in the attachment of an e-mail and over Kazaa network as well. Sender address is faked. Attachment name, message subject and e-mail body vary. Attachment extension can be .exe, .pif, .cmd or .scr. Worm can also attach itself as a zip file. Worm's body is 22582 bytes long, UPX packed and contains encoded strings. The worm spreads to addresses collected from the infected computer.

The body of the e-mail message can be empty or may contain one of these four texts:

  • test
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.

The worm creates the files shimgapi.dll and Taskmon.exe in the Windows System directory and a file in the Kazaa shared files directory that has one of the following names:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

The worm adds the value "TaskMon" = %SysDir%\taskmon.exe to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. As a result, the worm is activated upon each computer restart. The worm opens Notepad with random data in it.

The reference in HKLM\Software\Classes to Webcheck.dll which contains COM interfaces used for Web Site Monitoring is replaced with shimgapi.dll. The shimgapi.dll file contains a backdoor that listens on port 3127 and this way it is loaded automatically in the address space of explorer.exe.

The detection of Win32/Mydoom.A is added from version 1.608.