Mydoom (computer worm)

Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer virus affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever (as of January 2004), exceeding previous records set by the Sobig worm. [Cite web
url = http://edition.cnn.com/2004/TECH/internet/01/28/mydoom.spreadwed/
title = Security firm: MyDoom worm fastest yet
work = CNN.com
publisher = Time Warner
date = 2004-01-28]

Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. [Cite web
url = http://seattletimes.nwsource.com/html/businesstechnology/2001859752_spamdoubles18.html
title = E-mail viruses blamed as spam rises sharply
author = Tiernan Ray
work = The Seattle Times
publisher = The Seattle Times Company
date = 2004-02-18] The worm contains the text message "“andy; I'm just doing my job, nothing personal, sorry,”" leading many to believe that the worm's creator was paid to do so. Early on, several security firms published their belief that the worm originated from a professional underground programmer in Russia. [Cite web
url = http://www.channelnewsasia.com/stories/afp_world/view/68810/1/.html
title = Mydoom Internet worm likely from Russia, linked to spam mail: security firm
author = Agence France Presse
publisher = MCN International Pte Ltd.
date = 2004-01-31dead link|date=October 2007|url=http://web.archive.org/web/20060220034445/http://www.channelnewsasia.com/stories/afp_world/view/68810/1/.html] The actual author of the worm is unknown.

Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25% of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected out of hand by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs. [Cite web
url = http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm
title = Hacker Hunters: An elite force takes on the dark side of computing
author = Brian Grow, Jason Bush
publisher = The McGraw-Hill Companies Inc.
work = BusinessWeek
date = 2005-05-30]

Initial analysis of Mydoom suggested that it was a variant of the Mimail worm — hence the alternate name Mimail.R — prompting speculation that the same persons were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.

Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text “mydom” within a line of the program's code. He noted: "“It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate.”" [Cite web
url = http://www.newsweek.com/id/52912
title = More Doom?
work = Newsweek
publisher = Washington Post Company
date = 2004-02-03]

Technical overview

Mydoom is primarily transmitted via e-mail, appearing as a transmission error, with subject lines including “Error”, “Mail Delivery System”, “Test” or “Mail Transaction Failed” in different languages, including English and French. The mail contains an attachment that, if executed, resends the worm to e-mail addresses found in local files such as a user's address book. It also copies itself to the “shared folder” of peer-to-peer file-sharing application KaZaA in an attempt to spread that way.

Mydoom avoids targeting e-mail addresses at certain universities, such as Rutgers, MIT, Stanford and UC Berkeley, as well as certain companies such as Microsoft and Symantec. Some early reports claimed the worm avoids "all" .edu addresses, but this is not the case.

The original version, Mydoom.A, is described as carrying two payloads:

* A backdoor on port 3127/tcp to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as a child process of the Windows Explorer); this is essentially the same backdoor used by Mimail.
* A denial of service attack against the website of the controversial company SCO Group, timed to commence 1 February 2004. Many virus analysts doubted if this payload would actually function. Later testing suggests that it functions in only 25% of infected systems.

A second version, Mydoom.B, as well as carrying the original payloads, also targets the Microsoft website and blocks HTTP access to Microsoft sites and popular online antivirus sites, thus blocking virus removal tools or updates to antivirus software. The smaller number of copies of this version in circulation meant that Microsoft's servers suffered few ill effects. [Cite web
url = http://news.bbc.co.uk/1/hi/technology/3459363.stm
title = Mydoom virus starts to fizzle out
publisher = BBC
work = BBC News
date = 2004-02-04]

Timeline

* 26 January 2004: The Mydoom virus is first identified around 8am EST (1300 UTC), just before the beginning of the workday in North America. The earliest messages originate from Russia. For a period of a few hours mid-day, the worm's rapid spread slows overall internet performance by approximately ten percent and average web page load times by approximately fifty percent. Computer security companies report that Mydoom is responsible for approximately one in ten e-mail messages at this time.:Although Mydoom's denial of service attack was scheduled to begin on 1 February 2004, SCO Group's website goes offline briefly in the hours after the worm is first released. It is unclear whether Mydoom was responsible for this. SCO Group claimed it was the target of several distributed denial of service attacks in 2003 that were unrelated to computer viruses.
* 27 January: SCO Group offers a US $250,000 reward for information leading to the arrest of the worm's creator. In the US, the FBI and the Secret Service begin investigations into the worm.
* 28 January: A second version of the worm is discovered two days after the initial attack. The first messages sent by Mydoom.B are identified at around 1400 UTC and also appear to originate from Russia. The new version includes the original denial of service attack against SCO Group and an identical attack aimed at Microsoft.com beginning on 3 February 2004 — though both attacks are suspected to be either broken, or non-functional decoy code intended to conceal the backdoor function of Mydoom. Mydoom.B also blocks access to the websites of over 60 computer security companies, as well as pop-up advertisements provided by DoubleClick and other online marketing companies.:The spread of MyDoom peaks; computer security companies report that Mydoom is responsible for roughly one in five e-mail messages at this time.
* 29 January: The spread of Mydoom begins to decline as bugs in Mydoom.B's code prevent it from spreading as rapidly as first anticipated. Microsoft offers US $250,000 reward for information leading to the arrest of the creator of Mydoom.B.
* 1 February 2004: An estimated one million computers around the world infected with Mydoom begin the virus's massive distributed denial of service attack—the largest such attack to date. As 1 February arrives in East Asia and Australia, SCO removes www.sco.com from the DNS around 1700 UTC on 31 January. (There is as yet no independent confirmation of www.sco.com in fact suffering the planned DDOS.)
* 3 February: Mydoom.B's distributed denial of service attack on Microsoft begins, for which Microsoft prepares by offering a website which will not be affected by the worm, [http://information.microsoft.com information.microsoft.com] . However, the impact of the attack remains minimal and [http://www.microsoft.com www.microsoft.com] remains functional. This is attributed to the comparatively low distribution of the Mydoom.B variant, the high load tolerance of Microsoft's web servers and precautions taken by the company. Some experts point out that the burden is less than that of Microsoft software updates and other such web-based services.
* 9 February: Doomjuice, a “parasitic” worm, begins spreading. This worm uses the backdoor left by Mydoom to spread. It does not attack non-infected computers. Its payload, akin to one of Mydoom.B's, is a denial-of-service attack against Microsoft. [Cite web
url = http://www.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html
title = W32.HLLW.Doomjuice
publisher = Symantec Corporation
date = 2007-02-13]
* 12 February: Mydoom.A is programmed to stop spreading. However, the backdoor remains open after this date.
* 1 March: Mydoom.B is programmed to stop spreading; as with Mydoom.A, the backdoor remains open.
* 26 July: A variant of Mydoom attacks Google, AltaVista and Lycos, completely stopping the function of the popular Google search engine for the larger portion of the workday, and creating noticeable slow-downs in the AltaVista and Lycos engines for hours.
* 10 September: MyDoom versions U, V, W and X appear, sparking worries that a new, more powerful MyDoom is being prepared.
* 18 February 2005: MyDoom version AO appears.

See also

* Timeline of notable computer viruses and worms

References

External links

* [http://www.evilbitz.com/2006/12/09/an-intriguer-virus/ MyDoom and DDoS Attacks]
* Cite web
url = http://www.viruslist.com/en/viruses/encyclopedia?virusid=22686
work = Viruslist.com
publisher = Kaspersky Lab
title = Email-Worm.Win32.Mydoom.a
* [http://ir.sco.com/ReleaseDetail.cfm?ReleaseID=127545 SCO Offers Reward for Arrest and Conviction of Mydoom Virus Author] - SCO press release, 27 January 2004. Note the claim that the denial of service attack had already started at this date.
* Cite web
url = http://www.f-secure.com/v-descs/novarg.shtml
title = Mydoom
work = F-Secure Computer Virus Information Pages
publisher = F-Secure Corporation
* Cite web
url = http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=38102
title = Win32.Mydoom.A
work = Security Advisor
publisher = Computer Associates International
* [http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99 Information about the Mydoom worm from Symantec.com]