This one caused an emergency liveupdate early yesterday morning of May 27:
W32.Mydoom.BU@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer and that has back door capabilities.
Also Known As: W32/Mytob.be@MM [McAfee], W32/Mytob-L [Sophos], WORM_MYTOB.FC [Trend Micro]
Infection Length: 49,278 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Originally Posted by Symantec Technical Details
When W32.Mydoom.BU@mm is executed, it performs the following actions:
1. Copies itself as:
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"WINDOWS SYSTEM" = "nec.exe"
to the registry subkey:
so that the risk runs every time Windows starts.
3. Modifies the value:
"Start" = "4"
in the registry subkey:
to prevent other programs from running when Windows starts.
4. Connects to IRC channel #skyline2 on the server irc.blackcarder.net.
5. Listens for commands that allow the remote attacker to perform any of the following actions:
* Download and execute files
* Perform other IRC commands determined by the attacker
* Reboot the compromised computer
Further Tech Details: http://securityresponse.symantec.com...chnicaldetails