The Mydoom.N virus is a macro virus which spreads and executes in the following way:
Affected computer must be active as a member of a domain.
An e-mail must have been sent to the target computer (this is the information that the virus needs to do its work).
It will examine the received e-mail and it will move the desired files into a shared folder (with the name “\\I am here\”) and a.lnk file will be created in the target computer that points the path to the share folder.
A.lnk file (shortcut) is created in the desktop.
The virus tries to delete the.lnk file every day in order to increase the chance of getting infect other computers.
The.lnk file will point to the virus file that executes the infection.
Mydoom.N uses the JMP instruction and two strings that can be seen in the below image:
The following strings may be seen in the affected files:
C:\WINDOWS\I am here\Message.txt
C:\WINDOWS\I am here\C:\Users\Mydoom.N.virus\Mydoom.N.exe
C:\WINDOWS\I am here\C:\Users\Mydoom.N.virus\Mydoom.N.ini
The virus will also be dropped in the following folders:
\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\091cf8c.default
\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\091cf8c.default\Cache
\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\091cf8c.default\Cookies
\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\091cf8c.default\Passwords
\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\091cf8c.default\Preferences
\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\091cf8c.default\Templates
\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\091cf8c.default\Toolbars
