W32/MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters.

W32/MyDoom-A uses randomly chosen email addresses in the "To:" and
"From:" fields as well as a randomly chosen subject line. The emails
distributing this worm have the following characteristics.

Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

W32/MyDoom-A is programmed to not forward itself via email if the recipient email address satisfies various conditions:

• The worm will not send itself to email addresses belonging to domains containing the following strings: acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e, unix, usenet, utgers.ed

  As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies and Microsoft.
  
  

• The worm will not send itself to email addresses in which the username contains the following strings: abuse, anyone, bugs, ca, contact, feste, gold-certs, help, info, me, no, noone, nobody, not, nothing, page, postmaster, privacy, rating, root, samples, secur, service, site, spm, soft, somebody, someone, submit, the.bat, webmaster, you, your, www
  
  
• The worm will not send itself to email addresses which contain the the following strings: admin, accoun, bsd, certific, google, icrosoft, linux, listserv, ntivi, spam, support, unix
  
  

W32/MyDoom-A creates a file called taskmon.exe in the system or temp folder and adds the following registry entry to run this file every time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe

Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.

W32/MyDoom-A also drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is run on startup:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= "<location of dll>"

The worm will also add the following entries to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Between the 1st and 12th February 2004, the worm will attempt a denial-of-service attempt to www.sco.com, sending numerous GET requests to the web server.

After the 12th February W32/MyDoom-A will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component.

Further reading: MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack