Mydoom
Mydoom
Type Multiple vector worm
Creator
Date Discovered 2004.01.26
Place of Origin Russia
Source Language C++
Platform MS Windows
File Type(s) .cmd, .exe, .pif, .scr, .zip
Infection Length 22,528 bytes
Reported Costs $38.5 billion

Mydoom is reported to be the most damaging virus or worm ever released, followed closely by Sobig. It also set records for spreading ability.

Behavior

Transmission

Mydocons.png

Mydoom can be transmitted through email or file sharing with Kazaa. To be transmitted through Kazaa, the user must download the worm from an infected computer on the Kazaa network.
Mydoom also arrives in an email address with a spoofed sender address with eight possible subject lines:

  • test
  • hi
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status
  • Error

The body of the email could be one of three possibilities:

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The attachment has a generic name and two file extensions in an attempt to fool the user into thinking it is some sort of document. The file name has nine possibilities:

  • document
  • readme
  • doc
  • text
  • file
  • data
  • test
  • message
  • body

The first fake file extension has three:

  • htm
  • txt
  • doc

The second real file extension has six:

  • bat
  • cmd
  • exe
  • pif
  • scr
  • zip

The .zip version will be an actual .zip file with a copy of the worm bearing the same name as the .zip. If it has an .exe or .scr extension, the attachment will have an icon similar to that of a .txt file in Windows XP.

Infection

When Mydoom is executed, it copies itself to the Windows system folder as Taskmon.exe (which is a legitimate file, though only when found in the Windows folder). It also creates the file Shimgapi.dll in the system folder. This file is a backdoor trojan that opens TCP listening ports ranging from 3127 to 3198 and can download and execute arbitrary files. A file named Message, which contains random letters when opened with Notepad is placed in the Temp folder and opened in Notepad.

The worm creates or modifies several registry keys. It adds the value "TaskMon = \System Folder\taskmon.exe to two keys, one a Local Machine and the other a Current User registry key, both ensure that the worm will run every time the computer is started. It cradds the value "(Default) = \(System Folder)\shimgapi.dll" to a root registry key that ensures shimgapi.dll will be run by Internet Explorer when the web browser is run. It also creates a Local Machine and current user version of another registry key.

Mydomess.png

Mydoom then searches files with the following extensions for email addresses:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • txt
  • wab

The worm then sends itself as an email using its own SMTP engine. The worm also contains strings with which it attempts to randomly generate an email address. The strings are the following mostly common names:

  • adam
  • alex
  • alice
  • andrew
  • anna
  • bill
  • bob
  • brenda
  • brent
  • brian
  • claudia
  • dan
  • dave
  • david
  • debby
  • fred
  • george
  • helen
  • jack
  • james
  • jane
  • jerry
  • jim
  • jimmy
  • joe
  • john
  • jose
  • julie
  • kevin
  • leo
  • linda
  • maria
  • mary
  • matt
  • michael
  • mike
  • peter
  • ray
  • robert
  • sam
  • sandra
  • serg
  • smith
  • stan
  • steve
  • ted
  • tom

The worm will attempt to guess the name of the receiving server by appending the following strings to the domain name:

  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.

It will avoid sending itself to domain names with the following strings:

  • acketst
  • arin.
  • avp
  • berkeley
  • borlan
  • example
  • fido
  • foo.
  • fsf.
  • gnu
  • .gov
  • gov.
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • ietf
  • inpris
  • isc.o
  • isi.e
  • kernel
  • math
  • .mil
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nodomai
  • panda
  • pgp
  • rfc-ed
  • ripe.
  • ruslis
  • secur
  • sendmail
  • sopho
  • syma
  • tanford.e
  • usenet
  • utgers.ed

It will also avoid sending itself to any user names with the following strings:

  • abuse
  • anyone
  • bugs
  • ca
  • contact
  • feste
  • gold-certs
  • help
  • info
  • me
  • no
  • noone
  • nobody
  • not
  • nothing
  • page

*postmaster
*privacy

  • rating
  • root
  • samples
  • secur
  • service
  • site
  • spm
  • soft
  • somebody
  • someone
  • submit
  • the.bat
  • webmaster
  • you
  • your
  • www

It will avoid email addresses with the following strings, regardless of whether the string is in the user or domain name:

  • admin
  • accoun
  • bsd
  • certific
  • google
  • icrosoft
  • linux
  • listserv
  • ntivi
  • spam
  • support
  • unix

It will copy itself to the Kazaa download folder under the following file names:

  • winamp5
  • icq2004-final
  • activation_crack
  • strip-girl-2.0bdcom_patches
  • rootkitXP
  • office_crack
  • nuke2004

Between 2004.02.01 and 2004.02.12 the worm tries to perform a [[Denial of Service|DoS attack]] on the website www.sco.com. It creates 64 threads, which make an HTTP GET request from a random port on the infected computer to port 80 of www.sco.com. There is a 25% likelihood that the attack will come from any given infected machine because of the way Mydoom verifies the date.

Variants

Mydoom produced several variants of note.

Mydoom.B

Mydoom.B launches a Denial of Service attack against both SCO and Microsoft. It begins its attack on www.sco.com on February 01, using 7 threads to constantly send a GET request to the website. It begins its attack on www.microsoft.com on February 03 and uses 13 threads.

Effects

Email monitoring service MessageLabs blocked 7.4 million copies of Mydoom.A. Mydoom.A had infected about one out of every 41 email messages. It was even at one point in one in every twelve emails, breaking Sobig's record of one in every 21. It accounted for 20-30% of worldwide email traffic shortly after its release to the wild. Major websites moved temporarily or permanently to new addresses to avoid the DoS attack. F-Secure antivirus expert Mikko Hypponen called Mydoom the "the worst e-mail worm incident in virus history". MessageLabs ranked it number 5 on its list of most active worms.

It caused slowdowns of internet traffic worldwide. Kaspersky estimated that 600,000 to 700,000 computers were infected with the worm. Thirteen percent were in the US, while one percent were in its home country of Russia. The comparative lack of infections in Russia was attributed to better security practices in Russia.

SCO moved its website www.sco.com to www.thescogroup.com in response to the amount of requests sent to the site. The group offered a $250,000 reward for information leading to the capture and conviction of the creator of the Mydoom.A worm. Microsoft offered a similar reward for the creator of the Mydoom.B worm, which attacked their site.

Mydoom and its variants are said to have caused $38.5 billion in damage. This number however comes from the Mi2g organisation, which is known for its extremely, often absurdly, high damage estimates.

Background

The SCO Group, which owns the rights to Unix, sued several vendors and supporters of Linux, claiming that some of its proprietary code was used in the system. The company sued Novell (former owners of SuSE, now a part of Attachmate), AutoZone and Daimler-Chrysler and was sued by Red Hat and IBM. This action caused much anger in the open source community, causing many to suspect they were involved. Many open source groups around the world denied this and condemned the creation of viruses and worms. Mydoom's origin was traced to Russia when Kaspersky Labs location-sensing software followed the original emails to ISPs from Russia.

Other Facts

A famous British IDM musician called Aphex Twin released a song named W32.Mydoom.AU@mm on his 11th Analord EP. He has released several songs about viruses and other malware, including Redolf and Ranky on the same album. Other tracks involving viruses in the album include Analord 8 and Analord 9.

Sources

Peter Ferrie. Symantec.com, W32.Mydoom.A

Scott Gettis. Symantec.com, W32.Mydoom.B@mm

McAfee Antivirus, W32/Mydoom@MM

Sophos Antivirus, W32/Mydoom-A

John Hogan. SearchWinIT, "A week of gloom and Mydoom". 2004.01.30

Antone Gonsalves. TechWeb News (through NetworkComputing.com), Mydoom Shows Vulnerability Of The Web. 2004.02.02

David Becker. CNet News, "Mydoom Virus Declared Worst Ever". 2004.01.29

John Leyden. The Register, SCO sidesteps MyDoom attacks. 2004.02.03

-. -, MyDoom assault forces SCO off the net. 2004.02.02

Simon Ostrovsky.The St. Petersburg Times, Issue 939, "VIRULENT MYDOOM COMPUTER VIRUS CREATED IN RUSSIA." 2004.01.30

Dick O'Brien. ENN, SCO falls to Mydoom.A worm. 2004.02.02

Anthony Quinn. -, Irish Linux group condemns viruses 2004.02.06

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License