Full Version of this article can be found here

oz11111.exe

What is it?
oz11111.exe is a file associated with the w32.mydoom.w@mm worm

What does it do?
W32.Mydoom.W@mm is a mass-mailing worm that attempts to perform a Distributed Denial of Service (DDoS) attack against www.symantec.com.

When W32.Mydoom.W@mm is executed, it performs the following actions:
  1. Creates the following registry keys:

    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version
    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version
    HKEY_CURRENT_USERSoftwareMicrosoftDaemon
    HKEY_LOCAL_MACHINESoftwareMicrosoftDaemon
  2. Creates the mutex "Sept-Symantec-Attack" so that only one instance of the worm can be executed.
  3. Deletes the files in the Windows Temp folder.
  4. Inserts the following files:
    • %Temp%Services.exe: This file will be detected as Backdoor.Zincite.A.
    • %System%About_Mydoom.txt: This is a text file and should be manually deleted.
    • %System%Doompic.jpg: This is a JPEG file and should be manually deleted.
    • %System%log32zx.exe: This file will be detected as Keylogger.Trojan.
    • %System%Downxz.bat: This file will be detected as Download.Trojan.
  5. Copies itself as:
    • %System%oz11111.exe
    • %Windir%oz2.exe
More information and removal instructions
@symantec