Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelHigh threatDamageSevereDistributionNot widespread
Common name:Mydoom.AO
Technical name:W32/Mydoom.AO.worm
Threat level:High
Alias:W32/, W32.Mydoom.AX@mm, W32/MyDoom-O, W32/Mydoom, Win32.Mydoom.AU, Email-Worm.Win32.Mydoom.m

It opens the TCP port 1034, acting as a backdoor. It downloads and installs the backdoor Bck/Surila.J and spreads via e-mail in a message with variable characteristics.

Affected platforms:

Windows 2003/XP/2000/NT

First detected on:Feb. 17, 2005
Detection updated on:Aug. 13, 2006
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 


Mydoom.AO is a worm that affects Windows 2003/XP/2000/NT computers only. It opens the TCP port 1034 and listens to it, acting as a backdoor.

Mydoom.AO downloads a file called MODULELOG.PNG from the Internet. In fact, this file is not a PNG image, but an executable file belonging to the backdoor Bck/Surila.J.

Mydoom.AO spreads via e-mail, in a message with variable characteristics that passes itself off as a mail delivery error. In order to harvest e-mail addresses to send itself to, this worm looks for files on the affected computer, but it also uses intensive searches on web searchers.

Mydoom.AO uses popular web searchers, such as Google, Altavista, Yahoo and Lycos.

Additionally, Mydoom.AO is able to surpass certain anti-spam techniques commonly used when noting down e-mail addresses.

Visible Symptoms 


Mydoom.AO is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.