When W32.Mydoom.M@mm is executed, it performs the following actions:
Creates the following registry keys, which mark the computer as infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Daemon
HKEY_CURRENT_USER\Software\Microsoft\Daemon
Copies itself as %Windir%\
java.exe.Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Drops and executes %Windir%\services.exe, which is detected as Backdoor.Zincite.A. When executed, this file opens TCP port 1034 and listens for remote connections. The backdoor will also probe random IP addresses on port 1034 looking for other infected hosts.
Adds the values:
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\
java.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm and backdoor load when Windows starts.
............
and on it goes...
Go here & do a quick couple of scans just to be sure.
Free online virus scanhttp://www.pandasoftware.com/products/activescan.htmFree online spyware scanhttp://www.pandasoftware.com/products/spyxposer/com/spyxposer_principal.htm