Mydoom is a worm on Microsoft Windows reported to be the most damaging worm ever released, with $3k more damage than that of Sobig. It also set records for spreading ability.



Mydoom can be transmitted through email or file sharing with Kazaa. To be transmitted through Kazaa, the user must download the worm from an infected computer on the Kazaa network.

Mydoom also arrives in an email address with a spoofed sender address with eight possible subject lines:

  • test
  • hi
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status
  • Error

The body of the email could be one of three possibilities:

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The attachment has a generic name and two file extensions in an attempt to fool the user into thinking it is some sort of document. The file name has nine possibilities:

  • document
  • readme
  • doc
  • text
  • file
  • data
  • test
  • message
  • body

The first fake file extension has three:

  • htm
  • txt
  • doc

The second real file extension has six:

  • bat
  • cmd
  • exe
  • pif
  • scr
  • zip

The .zip version will be an actual .zip file with a copy of the worm bearing the same name as the .zip. If it has an .exe or .scr extension, the attachment will have an icon similar to that of a .txt file in Windows XP.


When Mydoom is executed, it copies itself to the Windows system folder as Taskmon.exe (which is a legitimate file, though only when found in the Windows folder). It also creates the file Shimgapi.dll in the system folder.

This file is a backdoor trojan that opens TCP listening ports ranging from 3127 to 3198 and can download and execute arbitrary files. A file named Message, which contains random letters when opened with Notepad is placed in the Temp folder and opened in Notepad.

The worm creates or modifies several registry keys. It adds the value "TaskMon = \System Folder\taskmon.exe to two keys, one a Local Machine and the other a Current User registry key, both ensure that the worm will run every time the computer is started. It cradds the value "(Default) = \(System Folder)\shimgapi.dll" to a root registry key that ensures shimgapi.dll will be run by Internet Explorer when the web browser is run. It also creates a Local Machine and current user version of another registry key.

Mydoom then searches files with the following extensions for email addresses:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • txt
  • wab

The worm then sends itself as an email using its own SMTP engine. The worm also contains strings with which it attempts to randomly generate an email address. The strings are the following mostly common names:

  • adam
  • alex
  • alice
  • andrew
  • anna
  • bill
  • bob
  • brenda
  • brent
  • brian
  • claudia
  • dan
  • dave
  • david
  • debby
  • fred
  • george
  • helen
  • jack
  • james
  • jane
  • jerry
  • jim
  • jimmy
  • joe
  • john
  • jose
  • julie
  • kevin
  • leo
  • linda
  • maria
  • mary
  • matt
  • michael
  • mike
  • peter
  • ray
  • robert
  • sam
  • sandra
  • serg
  • smith
  • stan
  • steve
  • ted
  • tom

The worm will attempt to guess the name of the receiving server by appending the following strings to the domain name:

  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.

It will avoid sending itself to domain names with the following strings:

  • acketst
  • arin.
  • avp
  • berkeley
  • borlan
  • example
  • fido
  • foo.
  • fsf.
  • gnu
  • .gov
  • gov.
  • hotmail
  • iana
  • icrosof
  • ietf
  • inpris
  • isc.o
  • isi.e
  • kernel
  • math
  • .mil
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nodomai
  • panda
  • pgp
  • rfc-ed
  • ripe.
  • ruslis
  • secur
  • sendmail
  • sopho
  • syma
  • tanford.e
  • usenet
  • utgers.ed

It will also avoid sending itself to any user names with the following strings:

  • abuse
  • anyone
  • bugs
  • ca
  • contact
  • feste
  • gold-certs
  • help
  • info
  • me
  • no
  • noone
  • nobody
  • not
  • nothing
  • page
  • postmaster
  • privacy
  • rating
  • root
  • samples
  • secur
  • service
  • site
  • spm
  • soft
  • somebody
  • someone
  • submit
  • the.bat
  • webmaster
  • you
  • your
  • www

It will avoid email addresses with the following strings, regardless of whether the string is in the user or domain name:

  • admin
  • accoun
  • bsd
  • certific
  • google
  • icrosoft
  • linux
  • listserv
  • ntivi
  • spam
  • support
  • unix

It will copy itself to the Kazaa download folder under the following file names:

  • winamp5
  • icq2004-final
  • activation_crack
  • strip-girl-2.0bdcom_patches
  • rootkitXP
  • office_crack
  • nuke2004

Between 2004.02.01 and 2004.02.12 the worm tries to perform a DoS attack on the website It creates 64 threads, which make an HTTP GET request from a random port on the infected computer to port 80 of There is a 25% likelihood that the attack will come from any given infected machine because of the way Mydoom verifies the date.



Mydoom.B launches a Denial of Service attack against both SCO and Microsoft. It begins its attack on on February 1st, using 7 threads to constantly send a GET request to the website. It begins its attack on on February 3rd and uses 13 threads.

In the worms code the message "andy; I'm just doing my job, nothing personal, sorry." can be found. It is never displayed.


MyDoom.E appeared on 16th of February 2004. It is functionally similar to previous variants. Like previous variants it spreads in email, Kazaa peer-to-peer network, drops a backdoor and attacks website.


MyDoom.F deletes files from infected machines as well as leaving them open to malicious hack attacks, as previous versions of MyDoom did. Infected systems harbor a backdoor that allows malicious hackers to remotely access and control infected machines, which can then be used to spew spam or launch denial-of-service attacks.

Security experts believe that MyDoom.F was not authored by the coder who created the original MyDoom worm and its earlier variants. MyDoom.F’s code has a line that reads: "I am 'Irony,' made by jxq7==-."


Mydoom.G arrives as an attachment with the file extension .bat, .com, .cmd, .exe, .pif, .scr, or .zip. The From: line of the email may be spoofed.


Mydoom.J is an encrypted, mass-mailing worm that arrives as an attachment with either a .pif, .scr, .exe, .cmd, .bat, or .zip extension. The worm also contains keylogging capabilities. It recycles code from earlier Mydoom variants as well as some parts from Bugbear.


Mydoom.L uses its own SMTP engine to send itself to all the email addresses that it finds from an infected system. The email has an attachment with a .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension.


Mydoom.O spreads like its previous variants and it also uses Yahoo People Search to search for more victims' email addresses. Mydoom.O is also detected as Mydoom.Q.


Email monitoring service MessageLabs blocked 7.4 million copies of Mydoom.A. Mydoom.A had infected about one out of every 41 email messages. It accounted for 20-30% of worldwide email traffic shortly after its release to the wild. Major websites moved temporarily or permanently to new addresses to avoid the DoS attack. F-Secure antivirus expert Mikko Hypponen called Mydoom the "worst e-mail worm incident in virus history". MessageLabs ranked it number 5 on its list of most active worms.

SCO moved its website to in response to the amount of requests sent to the site. The group offered a $250,000 reward for information leading to the capture and conviction of the creator of the Mydoom.A worm. Microsoft offered a similar reward for the creator of the Mydoom.B worm, which attacked their site.


The SCO Group, which owns the rights to Unix, sued several vendors and supporters of Linux, claiming that some of its proprietary code was used in the system. The company sued Novell (owners of SuSE), AutoZone and Daimler-Chrysler and was sued by Red Hat and IBM. This action caused much anger in the open source community, causing many to suspect they were involved. Many open source groups around the world denied this and condemned the creation of viruses and worms.

Other Facts

According to many "most dangerous computer viruses" lists, it is considered the most dangerous virus. Perhaps due to how fast it spread, or because its DoS attack on, shutting it down temporarily.



Peter Ferrie., W32.Mydoom.A

Scott Gettis., W32.Mydoom.B@mm

McAfee Antivirus, W32/Mydoom@MM

Sophos Antivirus, W32/Mydoom-A

John Hogan. SearchWinIT, "A week of gloom and Mydoom". 2004.01.30

David Becker. CNet News, "Mydoom Virus Declared Worst Ever". 2004.01.29

John Leyden. The Register, SCO sidesteps MyDoom attacks. 2004.02.03

-. -, MyDoom assault forces SCO off the net. 2004.02.02

Dick O'Brien. ENN, SCO falls to Mydoom.A worm. 2004.02.02

Anthony Quinn. -, Irish Linux group condemns viruses 2004.02.06

Norton Antivirus, ☀