How it works
MyDoom.m constructs random e-mail messages from a string of hard-coded text within the virus code itself. The infected e-mail appears to have been sent by someone you may know. The body text may suggest that your e-mail account has been compromised by a virus or has been used recently to send spam. The body text appears to come from the technical support team of the domain you are using for your own e-mail address: for example, someone@mydomain.com would receive a note signed by the mydomain.com team. The body text further encourages you to open the attached file (usually a ZIP, but it could also be EXE, COM, SCR, PIF, BAT, or CMD) for more information. Do not follow this instruction; it will launch the virus on your PC.

Once executed, MyDoom.m installs itself in the Windows folder as:

C:\WINDOWS\JAVA.EXE
C:\WINDOWS\SERVICES.EXE

MyDoom.m also changes the system registry by adding the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run JavaVM="[Windows folder]\java.exe" Services="[Windows folder]\services.exe"

HKEY_CURRENT_USER\Software\Microsoft\Daemon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

MyDoom.m will open port 2110 to listen for remote access.

Prevention
If you receive MyDoom.m, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates (MyDoom.n), F-Secure, Kaspersky,McAfee, Norman (MyDoom.l), Panda, Sophos (MyDoom.o), Symantec, and Trend Micro.