mydoom also known as, my.doom, W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi, W32/Mydoom@MM, WORM_MYDOOM, Win32.Mydoom is a

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...

affecting

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...

. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the

Sobig worm The Sobig Worm was a computer worm that infected millions of Internet-connected, Microsoft Windows computers in August 2003. Although there were indications that tests of the worm were carried out as early as August 2002, Sobig.A was first found ...

and ILOVEYOU, a record which as of 2022 has yet to be surpassed. MyDoom appears to have been commissioned by e-mail spammers to send junk e-mail through infected computers. The worm contains the text message ''"andy; I'm just doing my job, nothing personal, sorry,"'' leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown. The worm appeared to be a poorly sent e-mail, and most people who originally were e-mailed the worm ignored it, thinking it was spam. However, it eventually spread to infect at least 500 thousand computers across the globe. Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against

SCO Group The SCO Group (often referred to SCO and later called The TSG Group) was an American software company in existence from 2002 to 2012 that became known for owning Unix operating system assets that had belonged to the Santa Cruz Operation (the o ...

. 25 percent of MyDoom.A-infected hosts targeted SCO Group with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, whi ...

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized so ...

supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs. Initial analysis of MyDoom suggested that it was a variant of the

Mimail Mimail is a computer worm which first emerged in August 2003; it is transmitted via e-mail. Since its initial release, nearly two dozen variants of the original Mimail worm have appeared. The Mydoom worm, which emerged in January 2004, was initiall ...

worm—hence the alternate name Mimail.R—prompting speculation that the same people were responsible for both worms. Later analyses were less conclusive as to the link between the two worms. MyDoom was named by Craig Schmugar, an employee of computer security firm

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...

and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."

Technical overview

MyDoom is made by Lto3 and primarily transmitted via

e-mail Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic (digital) version of, or counterpart to, mail, at a time when "mail" meant ...

, appearing as a transmission error, with subject lines including "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed" in different languages, including English and French. The mail contains an attachment that, if

executed Capital punishment, also known as the death penalty, is the state-sanctioned practice of deliberately killing a person as a punishment for an actual or supposed crime, usually following an authorized, rule-governed process to conclude that t ...

, resends the worm to e-mail addresses found in local files such as a user's address book. It also copies itself to the "shared folder" of

peer-to-peer Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer ...

file sharing File sharing is the practice of distributing or providing access to digital media, such as computer programs, multimedia (audio, images and video), documents or electronic books. Common methods of storage, transmission and dispersion include r ...

application Kazaa in an attempt to spread that way. MyDoom avoids targeting e-mail addresses at certain universities, such as

Rutgers Rutgers University (; RU), officially Rutgers, The State University of New Jersey, is a public land-grant research university consisting of four campuses in New Jersey. Chartered in 1766, Rutgers was originally called Queen's College, and w ...

, MIT,

Stanford Stanford University, officially Leland Stanford Junior University, is a Private university, private research university in Stanford, California. The campus occupies , among the largest in the United States, and enrolls over 17,000 students. S ...

and

UC Berkeley The University of California, Berkeley (UC Berkeley, Berkeley, Cal, or California) is a public land-grant research university in Berkeley, California. Established in 1868 as the University of California, it is the state's first land-grant uni ...

, as well as certain companies such as

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washi ...

and

Symantec Symantec may refer to: *An American consumer software company now known as Gen Digital Inc. *A brand of enterprise security software purchased by Broadcom Inc. Broadcom Inc. is an American designer, developer, manufacturer and global supplier ...

. Some early reports claimed the worm avoids ''all''

.edu The domain name .edu is a sponsored top-level domain (sTLD) in the Domain Name System of the Internet. The domain was implemented in 1985 for the purpose of creating a domain name hierarchy for organizations with a focus on education, even abl ...

addresses, but this is not the case. The original version, Mydoom.A, is described as carrying two

payload Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...

s: * A backdoor on

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as H ...

3127/tcp to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as a child process of

Windows Explorer File Explorer, previously known as Windows Explorer, is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file ...

); this is essentially the same backdoor used by

. * A

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conne ...

against the website of the

controversial Controversy is a state of prolonged public dispute or debate, usually concerning a matter of conflicting opinion or point of view. The word was coined from the Latin ''controversia'', as a composite of ''controversus'' – "turned in an opposite d ...

company

, timed to commence 1 February 2004. Many virus analysts doubted if this payload would actually function. Later testing suggests that it functions in only 25% of infected systems. A second version, Mydoom.B, as well as carrying the original payloads, also targets the Microsoft website and blocks access to Microsoft sites and popular online

antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

sites by modifying the hosts file, thus blocking virus removal tools or updates to antivirus software. The smaller number of copies of this version in circulation meant that Microsoft's servers suffered few ill effects.

Timeline

* 26 January 2004: The MyDoom virus is first identified around 8am EST (1300 UTC), just before the beginning of the workday in North America. The earliest messages originate from Russia. For a period of a few hours mid-day, the worm's rapid spread slows overall internet performance by approximately ten percent and average web page load times by approximately fifty percent. Computer security companies report that Mydoom is responsible for approximately one in ten e-mail messages at this time. :Although MyDoom's denial of service attack was scheduled to begin on 1 February 2004,

's website goes offline briefly in the hours after the worm is first released. It is unclear whether MyDoom was responsible for this. SCO Group claimed it was the target of several distributed denial of service attacks in 2003 that were unrelated to computer viruses. * 27 January 2004:

offers a US $250,000 reward for information leading to the arrest of the worm's creator. In the US, the FBI and the

Secret Service A secret service is a government agency, intelligence agency, or the activities of a government agency, concerned with the gathering of intelligence data. The tasks and powers of a secret service can vary greatly from one country to another. Fo ...

begin investigations into the worm. * 28 January 2004: A second version of the worm is discovered two days after the initial attack. The first messages sent by Mydoom.B are identified at around 1400 UTC and also appear to originate from Russia. The new version includes the original denial of service attack against SCO Group and an identical attack aimed at Microsoft.com beginning on 3 February 2004; however, both attacks are suspected to be either broken, or non-functional decoy code intended to conceal the backdoor function of MyDoom. Mydoom.B also blocks access to the websites of over 60 computer security companies, as well as pop-up advertisements provided by

DoubleClick DoubleClick Inc. was an advertisement company that developed and provided Internet ad serving services from 1995 until its acquisition by Google in March 2008. DoubleClick offered technology products and services that were sold primarily to ad ...

and other online marketing companies. :The spread of MyDoom peaks; computer security companies report that Mydoom is responsible for roughly one in five e-mail messages at this time. * 29 January 2004: The spread of MyDoom begins to decline as bugs in Mydoom.B's code prevent it from spreading as rapidly as first anticipated. Microsoft offers US $250,000 reward for information leading to the arrest of the creator of Mydoom.B. * 1 February 2004: An estimated one million computers around the world infected with MyDoom begin the virus's massive distributed denial of service attack—the largest such attack to date. As 1 February arrives in East Asia and Australia, SCO removes www.sco.com from the DNS around 1700 UTC on 31 January. (There is as yet no independent confirmation of www.sco.com in fact suffering the planned DDOS.) * 3 February 2004: Mydoom.B's distributed denial of service attack on Microsoft begins, for which Microsoft prepares by offering a website which will not be affected by the worm, information.microsoft.com. However, the impact of the attack remains minimal an
www.microsoft.com
remains functional. This is attributed to the comparatively low distribution of the Mydoom.B variant, the high load tolerance of Microsoft's web servers and precautions taken by the company. Some experts point out that the burden is less than that of Microsoft software updates and other such web-based services. * 9 February 2004: Doomjuice, a “parasitic” worm, begins spreading. This worm uses the backdoor left by Mydoom to spread. It does not attack non-infected computers. Its payload, akin to one of Mydoom.B's, is a denial-of-service attack against Microsoft. * 12 February 2004: Mydoom.A is programmed to stop spreading. However, the backdoor remains open after this date. * 1 March 2004: Mydoom.B is programmed to stop spreading; as with Mydoom.A, the backdoor remains open. * 26 July 2004: A variant of MyDoom attacks

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

, AltaVista and

Lycos Lycos, Inc., is a web search engine and web portal established in 1994, spun out of Carnegie Mellon University. Lycos also encompasses a network of email, web hosting, social networking, and entertainment websites. The company is based in Walth ...

, completely stopping the function of the popular Google search engine for the larger portion of the workday, and creating noticeable slow-downs in the AltaVista and Lycos engines for hours. * 23 September 2004: MyDoom versions U, V, W and X appear, sparking worries that a new, more powerful MyDoom is being prepared. * 18 February 2005: MyDoom version AO appears. * July 2009: MyDoom resurfaces in the July 2009 cyber attacks affecting South Korea and the United States.

References

External links

MyDoom and DDoS Attacks
*
SCO Offers Reward for Arrest and Conviction of Mydoom Virus Author
- SCO press release, 27 January 2004. Note the claim that the denial of service attack had already started at this date. * *
Information about the Mydoom worm from Symantec.com
* {{Cite web , url = https://www.youtube.com/watch?v=cRH-khasTfg , title = Computer Virus That Caused $50 Billion Damage , publisher = The InfoGraphics Show YouTube Channel Computer worms Email worms Hacking in the 2000s 2004 in computing Windows malware

Technical overview

Timeline

See also

References

External links