How it works
Both versions of MyDoom arrive primarily as e-mail. The subject line reads "Mail Delivery System," "Test," or "Mail Transaction Failed." The body text reads: "The message contains Unicode characters and has been sent as a binary attachment." The attached files may include one of the following:

document.zip
document.pif
doc.scr
message.pif
readme.exe
file.zip
message.zip
oia.zip
text.zip

When the worm is executed, MyDoom adds the following to the Windows/System subdirectory:

shimgapi.exe
taskmon.exe

If you are running the file-sharing program Kazaa, MyDoom will add a file named activation_crack.scr in this location: C:\Program files\Kazaa\My Shared Folder\.

In addition to the above, MyDoom.b overwrites the hosts file on infected systems, denying users access to most major antivirus software sites.

Both versions of MyDoom are known to open Windows Notepad and display garbage text; in addition, security companies iDefense and McAfee are reporting that MyDoom opens ports 3127 through 3198 to listen for commands from a remote attacker.

On February 1, MyDoom.a successfully launched a denial-of-service attack on SCO.com, shutting down the Linux vendor's Web site. On February 3, MyDoom.b will attempt to shut down Microsoft.com.

Prevention
If you receive MyDoom, do not open the attached file. Delete the e-mail message.

Removal
All of the major antivirus software companies have updated their signature files to include these worms. This will stop the infection upon contact and in some cases, will remove an active infection from your system.

For more information about MyDoom.a, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, or Trend Micro.

For more information about MyDoom.b, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, or Trend Micro.

Read the latest News.com coverage here.