[Virus/malware activity reported: MyDoom ransomware]

In response to a security breach believed to be in the form of MyDoom ransomware, we would like to
confirm the situation and provide a warning as follows.

MyDoom ransomware

The ransomware is called MyDoom and appears to be changing all files with the extension .existing extension.id-generated private key.[bitlocker@foxmail.com].wiki.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Deleting shadow copies

  Delete shadow copies to prevent restoration of encrypted files

  
  [Figure 4 Deleting shadow copies]

• Register startup program

  Register it in the registry and folder to run again when Windows restarts.

  
  [Figure 5 Startup program registration]

Infection results

The guidance file is created and executed as mshta.exe in the system folder and is added to the desktop with the name FILES ENCRYPTED. When encryption is performed, files are changed to <.existing extension.id-generated private key.[bitlocker@foxmail.com].wiki>.

[Figure 6 Infection result 1]

[Figure 7 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

[Figure 10 Block message]

Watch the MyDoom blocking video