What is it?
syshosts.exe is a file associated with the W32.MyDoom.Y@mm worm
What does it do?
W32.MyDoom.Y@mm is a mass-mailing worm
when w32.mydoom.ymm is executed it does the following:
Copies itself as the following files:
- Note:
%System% is a variable that refers to the System folder. By default
this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32
(Windows NT/2000), or C:WindowsSystem32 (Windows XP).
- Adds the value:
"MS Updates"="%System%syshosts.exe"
to the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
so that the worm is executed every time Windows starts. - Opens http://www.microsucks.com in Internet Explorer.
More information and removal instructions
@symantec