FANDOM



Mydoom is a worm on Microsoft Windows reported to be the most damaging worm ever released, with $3k more damage than that of Sobig. It also set records for spreading ability.

Payload

Transmission

Mydoom can be transmitted through email or file sharing with Kazaa. To be transmitted through Kazaa, the user must download the worm from an infected computer on the Kazaa network.

Mydoom also arrives in an email address with a spoofed sender address with eight possible subject lines:

  • test
  • hi
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status
  • Error

The body of the email could be one of three possibilities:

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The attachment has a generic name and two file extensions in an attempt to fool the user into thinking it is some sort of document. The file name has nine possibilities:

  • document
  • readme
  • doc
  • text
  • file
  • data
  • test
  • message
  • body

The first fake file extension has three:

  • htm
  • txt
  • doc

The second real file extension has six:

  • bat
  • cmd
  • exe
  • pif
  • scr
  • zip

The .zip version will be an actual .zip file with a copy of the worm bearing the same name as the .zip. If it has an .exe or .scr extension, the attachment will have an icon similar to that of a .txt file in Windows XP.

Infection

When Mydoom is executed, it copies itself to the Windows system folder as Taskmon.exe (which is a legitimate file, though only when found in the Windows folder). It also creates the file Shimgapi.dll in the system folder.

This file is a backdoor trojan that opens TCP listening ports ranging from 3127 to 3198 and can download and execute arbitrary files. A file named Message, which contains random letters when opened with Notepad is placed in the Temp folder and opened in Notepad.

The worm creates or modifies several registry keys. It adds the value "TaskMon = \System Folder\taskmon.exe to two keys, one a Local Machine and the other a Current User registry key, both ensure that the worm will run every time the computer is started. It cradds the value "(Default) = \(System Folder)\shimgapi.dll" to a root registry key that ensures shimgapi.dll will be run by Internet Explorer when the web browser is run. It also creates a Local Machine and current user version of another registry key.

Mydoom then searches files with the following extensions for email addresses:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • txt
  • wab

The worm then sends itself as an email using its own SMTP engine. The worm also contains strings with which it attempts to randomly generate an email address. The strings are the following mostly common names:

  • adam
  • alex
  • alice
  • andrew
  • anna
  • bill
  • bob
  • brenda
  • brent
  • brian
  • claudia
  • dan
  • dave
  • david
  • debby
  • fred
  • george
  • helen
  • jack
  • james
  • jane
  • jerry
  • jim
  • jimmy
  • joe
  • john
  • jose
  • julie
  • kevin
  • leo
  • linda
  • maria
  • mary
  • matt
  • michael
  • mike
  • peter
  • ray
  • robert
  • sam
  • sandra
  • serg
  • smith
  • stan
  • steve
  • ted
  • tom

The worm will attempt to guess the name of the receiving server by appending the following strings to the domain name:

  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.

It will avoid sending itself to domain names with the following strings:

  • acketst
  • arin.
  • avp
  • berkeley
  • borlan
  • example
  • fido
  • foo.
  • fsf.
  • gnu
  • .gov
  • gov.
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • ietf
  • inpris
  • isc.o
  • isi.e
  • kernel
  • math
  • .mil
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nodomai
  • panda
  • pgp
  • rfc-ed
  • ripe.
  • ruslis
  • secur
  • sendmail
  • sopho
  • syma
  • tanford.e
  • usenet
  • utgers.ed

It will also avoid sending itself to any user names with the following strings:

  • abuse
  • anyone
  • bugs
  • ca
  • contact
  • feste
  • gold-certs
  • help
  • info
  • me
  • no
  • noone
  • nobody
  • not
  • nothing
  • page
  • postmaster
  • privacy
  • rating
  • root
  • samples
  • secur
  • service
  • site
  • spm
  • soft
  • somebody
  • someone
  • submit
  • the.bat
  • webmaster
  • you
  • your
  • www

It will avoid email addresses with the following strings, regardless of whether the string is in the user or domain name:

  • admin
  • accoun
  • bsd
  • certific
  • google
  • icrosoft
  • linux
  • listserv
  • ntivi
  • spam
  • support
  • unix

It will copy itself to the Kazaa download folder under the following file names:

  • winamp5
  • icq2004-final
  • activation_crack
  • strip-girl-2.0bdcom_patches
  • rootkitXP
  • office_crack
  • nuke2004

Between 2004.02.01 and 2004.02.12 the worm tries to perform a DoS attack on the website www.sco.com. It creates 64 threads, which make an HTTP GET request from a random port on the infected computer to port 80 of www.sco.com. There is a 25% likelihood that the attack will come from any given infected machine because of the way Mydoom verifies the date.

Variants

Mydoom.B

Mydoom.B launches a Denial of Service attack against both SCO and Microsoft. It begins its attack on www.sco.com on February 1st, using 7 threads to constantly send a GET request to the website. It begins its attack on www.microsoft.com on February 3rd and uses 13 threads.

In the worms code the message "andy; I'm just doing my job, nothing personal, sorry." can be found. It is never displayed.

Mydoom.C

Mydoom.C copies itself into the Windows system or temporary folder as svrhost.exe and sets the following registry entries. It also opens a backdoor port and terminates AV and security processes.

Mydoom.D

Mydoom.D(also called Doomjuice.a) spreads updated code but was otherwise identical to MyDoom.a. This variant initially sent single requests for a DoS attack against Microsoft and then switched to a multiple-request attack strategy.

Mydoom.E

Mydoom.E appeared on 16th of February 2004. It is functionally similar to previous variants. Like previous variants it spreads in email, Kazaa peer-to-peer network, drops a backdoor and attacks www.sco.com website.

Mydoom.F

Mydoom.F deletes files from infected machines as well as leaving them open to malicious hack attacks, as previous versions of MyDoom did. Infected systems harbor a backdoor that allows malicious hackers to remotely access and control infected machines, which can then be used to spew spam or launch denial-of-service attacks.

Security experts believe that MyDoom.F was not authored by the coder who created the original MyDoom worm and its earlier variants. MyDoom.F’s code has a line that reads: "I am 'Irony,' made by jxq7==-."

Mydoom.G

Mydoom.G arrives as an attachment with the file extension .bat, .com, .cmd, .exe, .pif, .scr, or .zip. The From: line of the email may be spoofed. It contains this hidden message:

netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. They may be called skynets, but not your shitty application.

Mydoom.H

Mydoom.H Is a mass-mailing worm that opens a backdoor on TCP ports 80 and 1080. It can download and execute arbitrary files. It also performs a Denial of Service (DoS) against www.symantec.com.

Mydoom.I

Mydoom.I is a mass-mailing worm that arrives as an attachment. The worm is similar in functionality to MyDoom.A. 

MyDoom.J

Mydoom.J is an encrypted, mass-mailing worm that arrives as an attachment with either a .pif, .scr, .exe, .cmd, .bat, or .zip extension. The worm also contains keylogging capabilities. It recycles code from earlier Mydoom variants as well as some parts from Bugbear.

Mydoom.K

Mydoom.K appeared on May 21st, 2004. It is functionally similar to MyDoom.E, but does not spread to Kazaa file sharing network and does not perform a DoS (Denial of Service) attack. The worm drops a backdoor component that listens on port 3127.

Mydoom.L

Mydoom.L uses its own SMTP engine to send itself to all the email addresses that it finds from an infected system. The email has an attachment with a .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension.

Mydoom.M

Mydoom.M is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A , that listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer.

Mydoom.N

Mydoom.N is a variant of Mydoom.M. It is a mass-mailing worm that drops and executes a backdoor that is detected as Backdoor.Zincite.A , which listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses that it finds on the infected computer. The email contains a spoofed From address. The subject and body text will vary, as will the name of the attachment. This threat is packed using ASPack.

Mydoom.O

Mydoom.O spreads like its previous variants and it also uses Yahoo People Search to search for more victims' email addresses. Mydoom.O is also detected as Mydoom.Q.

Mydoom.P

Mydoom.P is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on an infected computer. The email contains a spoofed From address. The subject and message body vary, and the attachment has a .bat, .cmd, .exe, .pif, .scr, or .zip extension. This threat is packed using UPX.

Mydoom.Q

Mydoom.Q is a mass-mailing worm that downloads an executable file and uses its own SMTP engine to send itself to the email addresses that it finds on the infected computer. 

Mydoom.R

Mydoom.R is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on an infected computer. The email contains a spoofed From address. The subject and message body vary, and the attachment has a .bat, .cmd, .exe, .pif, .scr, or .zip extension.

Mydoom.S

Mydoom.S is a mass-mailing worm that downloads a copy of Backdoor.Nemog.B.

Mydoom.T

Mydoom.T is a mass-mailing worm spreads in emails with different subject and body texts, to Kazaa P2P (peer-to-peer) file sharing network and also drops a backdoor component that listens on port 5422. Additionally the worm can perform a DDoS (Distributed Denial of Service) attack against Microsoft's website.

Mydoom.U

Mydoom.U is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on an infected computer. The subject and message body vary, and the attachment has a .bat, .cmd, .exe, .pif, .scr, or .zip extension. It is similar to Mydoom.P.

Mydoom.V

Mydoom.V is a mass-mailing worm that downloads an executable file. Mydoom.V may spoof the sender address on email sent by the worm.

Mydoom.W

Mydoom.W is a mass-mailing worm that attempts to perform a Distributed Denial of Service (DDoS) attack against www.symantec.com.

Mydoom.X

Mydoom.X is a mass-mailing worm that spreads in emails with different subject and body texts, downloads and activates a backdoor.

Mydoom.Y

Mydoom.Y is a mass-mailing worm that sends itself to e-mail addresses it finds on the infected machine. The worm also downloads and runs an executable that acts as a backdoor. It is a minor variant of Mydoom.X.

Mydoom.Z

Mydoom.Z is a mass-mailing worm that sends itself to e-mail addresses it finds on the infected computer. The worm also installs a .dll file that acts as a backdoor.

Mydoom.AB

Mydoom.AB is a mass-mailing worm that downloads a copy of Backdoor.Nemog.D and spreads via ICQ and the Kazaa file-sharing network.

Mydoom.AC

Mydoom.AC is a mass-mailing worm that launches a Denial of Service (DoS) attack against a remote server. It can also spread through file-sharing networks.

Mydoom.AD

Mydoom.AD is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds from an infected system. It also attempts to spread itself through IRC and some popular peer-to-peer networks.

Mydoom.AE

Mydoom.AE is a mass-mailing worm that downloads and executes an additional file from a website. This file is detected as 'Worm.P2P.Scranor'. The Scranor P2P (peer-to-peer) worm in its turn downloads and runs another file, that is detected as 'Backdoor.Win32.Rbot.gen'. The MyDoom.AE worm has a message from Mydoom author(s) to AV vendors.

Mydoom.AF

Mydoom.AF is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on the infected computer. The worm also contains back door functionality which allows unauthorized remote access.

The email will have a variable subject and attachment name. The attachment will have a .cpl, .pif, or .scr file extension. The threat is packed with UPX.

Mydoom.AG

Mydoom.AG is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on the infected computer. It also propagates through popular peer-to-peer networks.

The email will have a variable subject and attachment name. The attachment will have a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.

Mydoom.AI

Mydoom.AI is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on a compromised computer. It creates a text file in the Temp folder named Mes#wtelw.txt, which contains garbage data. The worm opens the file using notepad.exe and displays the garbage data.

Mydoom.AL

Mydoom.AL is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on a compromised computer. It also spreads by using ICQ instant messenger. The worm attempts to exploit the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS04-040). This worm downloads and runs a copy of Backdoor.Nemog.D.

Mydoom.AM

Mydoom.AM is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it finds on the compromised computer. The worm also propagates through file sharing networks. W32.Mydoom.AM@mm is a minor variant of Mydoom.AG.

Mydoom.AO

Mydoom.AO is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on the compromised computer. It also propagates through file sharing networks. The email will have a variable subject and attachment name. The attachment will have a .bat, .cmd, .exe, .pif, .scr, or .zip file extension. It is currently the newest variant of Mydoom.

Effects

Email monitoring service MessageLabs blocked 7.4 million copies of Mydoom.A. Mydoom.A had infected about one out of every 41 email messages. It accounted for 20-30% of worldwide email traffic shortly after its release to the wild. Major websites moved temporarily or permanently to new addresses to avoid the DoS attack. F-Secure antivirus expert Mikko Hypponen called Mydoom the "worst e-mail worm incident in virus history". MessageLabs ranked it number 5 on its list of most active worms.

SCO moved its website www.sco.com to www.thescogroup.com in response to the amount of requests sent to the site. The group offered a $250,000 reward for information leading to the capture and conviction of the creator of the Mydoom.A worm. Microsoft offered a similar reward for the creator of the Mydoom.B worm, which attacked their site.

Background

The SCO Group, which owns the rights to Unix, sued several vendors and supporters of Linux, claiming that some of its proprietary code was used in the system. The company sued Novell (owners of SuSE), AutoZone and Daimler-Chrysler and was sued by Red Hat and IBM. This action caused much anger in the open source community, causing many to suspect they were involved. Many open source groups around the world denied this and condemned the creation of viruses and worms.

Other Facts

According to many "most dangerous computer viruses" lists, it is considered the most dangerous virus. Perhaps due to how fast it spread, or because its DoS attack on sco.com, shutting it down temporarily.

Timeline

  • 26 January 2004: The Mydoom virus is first identified around 8am EST (1300 UTC), just before the beginning of the workday in North America. The earliest messages originate from Russia. For a period of a few hours mid-day, the worm's rapid spread slows overall internet performance by approximately ten percent and average web page load times by approximately fifty percent. Computer security companies report that Mydoom is responsible for approximately one in ten e-mail messages at this time.
Although Mydoom's denial of service attack was scheduled to begin on 1 February 2004, SCO Group's website goes offline briefly in the hours after the worm is first released. It is unclear whether Mydoom was responsible for this. SCO Group claimed it was the target of several distributed denial of service attacks in 2003 that were unrelated to computer viruses.
  • 27 January: SCO Group offers a US $250,000 reward for information leading to the arrest of the worm's creator. In the US, the FBI and the Secret Service begin investigations into the worm.
  • 28 January: A second version of the worm is discovered two days after the initial attack. The first messages sent by Mydoom.B are identified at around 1400 UTC and also appear to originate from Russia. The new version includes the original denial of service attack against SCO Group and an identical attack aimed at Microsoft.com beginning on 3 February 2004; however, both attacks are suspected to be either broken, or non-functional decoy code intended to conceal the backdoor function of Mydoom. Mydoom.B also blocks access to the websites of over 60 computer security companies, as well as pop-up advertisements provided by DoubleClick and other online marketing companies.
The spread of MyDoom peaks; computer security companies report that Mydoom is responsible for roughly one in five e-mail messages at this time.
  • 29 January: The spread of Mydoom begins to decline as bugs in Mydoom.B's code prevent it from spreading as rapidly as first anticipated. Microsoft offers US $250,000 reward for information leading to the arrest of the creator of Mydoom.B.
  • 1 February 2004: An estimated one million computers around the world infected with Mydoom begin the virus's massive distributed denial of service attack—the largest such attack to date. As 1 February arrives in East Asia and Australia, SCO removes www.sco.com from the DNS around 1700 UTC on 31 January. (There is as yet no independent confirmation of www.sco.com in fact suffering the planned DDOS.)
  • 3 February: Mydoom.B's distributed denial of service attack on Microsoft begins, for which Microsoft prepares by offering a website which will not be affected by the worm, information.microsoft.com.[8] However, the impact of the attack remains minimal and www.microsoft.com remains functional. This is attributed to the comparatively low distribution of the Mydoom.B variant, the high load tolerance of Microsoft's web servers and precautions taken by the company. Some experts point out that the burden is less than that of Microsoft software updates and other such web-based services.
  • 9 February: Doomjuice, a “parasitic” worm, begins spreading. This worm uses the backdoor left by Mydoom to spread. It does not attack non-infected computers. Its payload, akin to one of Mydoom.B's, is a denial-of-service attack against Microsoft.[9]
  • 12 February: Mydoom.A is programmed to stop spreading. However, the backdoor remains open after this date.
  • 1 March: Mydoom.B is programmed to stop spreading; as with Mydoom.A, the backdoor remains open.
  • 26 July: A variant of Mydoom attacks Google, AltaVista and Lycos, completely stopping the function of the popular Google search engine for the larger portion of the workday, and creating noticeable slow-downs in the AltaVista and Lycos engines for hours.
  • 10 September: MyDoom versions U, V, W and X appear, sparking worries that a new, more powerful MyDoom is being prepared.
  • 18 February 2005: MyDoom version AO appears.
  • July 2009: MyDoom resurfaces in the July 2009 cyber attacks affecting South Korea and the United States.[10]

Media

Email-Worm.Win32.Mydoom

Email-Worm.Win32.Mydoom.A

Sources

Peter Ferrie. Symantec.com, W32.Mydoom.A

Scott Gettis. Symantec.com, W32.Mydoom.B@mm

McAfee Antivirus, W32/Mydoom@MM

Sophos Antivirus, W32/Mydoom-A

John Hogan. SearchWinIT, "A week of gloom and Mydoom". 2004.01.30

David Becker. CNet News, "Mydoom Virus Declared Worst Ever". 2004.01.29

John Leyden. The Register, SCO sidesteps MyDoom attacks. 2004.02.03

-. -, MyDoom assault forces SCO off the net. 2004.02.02

Dick O'Brien. ENN, SCO falls to Mydoom.A worm. 2004.02.02

Anthony Quinn. -, Irish Linux group condemns viruses 2004.02.06

Norton Antivirus, ☀http://uk.norton.com/top-5-viruses/promo

Community content is available under CC-BY-SA unless otherwise noted.