This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate.
Copies itself to:
Adds the value: NeroCheck = %system%\regedit.exe
to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The worm creates the unique identifier _sncZZmtx_133 to show its presence in memory.
The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands.
If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself.
The backdoor component of Mydoom accepts the file and executes it.
To determine which IP addresses to attack, the worm uses the following formula: (A.B.C.D) where A,B,C,D is a random numbers.
If the current date is not between the 8th and the 12th of the month and it's not January the worm will launch a DoS attack on the www.microsoft.com site.
With antivirus (also check How To Remove section)Startup Optimizer you can automatical remove it from startup.