FRISK Software International

Summary of W32/Mydoom.BJ@mm
Length: 426kb
Discovered: 31 Mar 2005
Definition files: 31 Mar 2005
Risk Level: Low
Infection Method:Email messages
Jump to:
Brief description
Removal Instructions

Brief Description
W32/Mydoom.BJ@mm is a mass mailing worm. It spreads by mass-mailing itself to e-mail addresses harvested from the local computer.

On infection the worm executes Windows Notepad displaying a meaningless jumble of data.

It drops 2 files on the infected computer:

detected as W32/Banker.ACW and W32/Backdoor.AZI respectevely. The backdoor listens on port 5204.

W32/Mydoom.BJ@mm copies itself to:

It creates keys under:
    Systems = %systemroot%\System32\svch0st.exe
    WINLOG0N = %systemroot%\System32\WINLOG0N.EXE

to ensure that each time the computer is restarted, W32/Mydoom.BJ@mm and W32/Backdoor.AZI are executed.

It modifies the following key:
Old value: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

New value: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

which effectively registers wxapi.dll (W32/Backdoor.AZI) as a shell extension, which allows it to run in Windows Explorer's address space.

Other registry keys created:


%systemroot% will translate to the Windows directory (e.g.: C:\winnt for WinNT/Windows 2000, C:\Windows for WinXP).

Removal Instructions
For general removal instructions please click here.

Guidelines on Safe Computing
  • Make sure you always have the latest version of F-Prot Antivirus installed on your computer and update the virus signature files regularly:

  • Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.

  • Make sure that your operating system is up-to-date. If you are using Windows, use Windows Automatic Updates and download the service packs when they are released. For more information on keeping Windows up-to-date, please visit Microsoft's Windows Update web site.

  • If you are using Internet Explorer / Outlook Express or Office / Outlook, make sure that you always have the latest versions. Old versions may contain security holes that are used by virus writers to access your computer. Please visit Microsoft's Windows Update web site to update Internet Explorer and Outlook Express and Microsoft's Office Update web site to update Office and Outlook.

  • Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and possible malicious content on the Internet. For more information click here.

  • Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.

  • Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.

  • Use software that detects ad-ware and spyware. For more information click here.

Bjartmar Kristjansson - Virus analyst FRISK Software Int.

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)