Uploaded by kostja-lucenko2017

MyDoom

advertisement
MyDoom
The virus that caused the most damage in history
mydoom also known
as, my.doom, W32.MyDoom@mm , Novarg,
Mimail.R, Shimgapi, W32/Mydoom@MM, WO
RM_MYDOOM, Win32.Mydoom - computer
worm affecting Microsoft Windows. It was first
sighted on January 26, 2004. It became the
fastest-spreading e-mail worm ever, exceeding
previous records set by the Sobig
worm and ILOVEYOU, a record which as of
2022 has yet to be surpassed. MyDoom
appears to have been commissioned by email spammers to send junk e-mail through
infected computers. The worm contains the text
message "andy; I'm just doing my job, nothing
personal, sorry," leading many to believe that
the worm's creator was paid. Early on, several
security firms expressed their belief that the
worm originated from a programmer in
Russia. The actual author of the worm is
unknown. The worm appeared to be a poorly
sent e-mail, and most people who originally
were e-mailed the worm ignored it, thinking it
was spam. However, it eventually spread to
infect at least 500 thousand computers across
the globe.

Speculative early coverage held that the sole purpose of the worm was to
perpetrate a distributed denial-of-service attack against SCO Group. 25
percent of MyDoom.A-infected hosts targeted SCO Group with a flood of
traffic. Trade press conjecture, spurred on by SCO Group's own claims, held
that this meant the worm was created by a Linux or open source supporter
in retaliation for SCO Group's controversial legal actions and public
statements against Linux.

Initial analysis of MyDoom suggested that it was a variant of
the Mimail worm—therefore the alternate name Mimail.R—prompting
speculation that the same people were responsible for both worms. Later
analyses were less conclusive as to the link between the two worms.

MyDoom was named by Craig Schmugar, an employee of computer security
firm McAfee and one of the earliest discoverers of the worm. Schmugar
chose the name after noticing the text "mydom" within a line of the
program's code. He noted: "It was evident early on that this would be very
big. I thought having 'doom' in the name would be appropriate."
Technical overview

MyDoom primarily transmitted via e-mail, appearing as a transmission error, with subject
lines including "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed" in
different languages, including English and French. The mail contains an attachment that,
if executed, resends the worm to e-mail addresses found in local files such as a user's
address book.

MyDoom avoids targeting e-mail addresses at certain universities, such
as Rutgers, MIT, Stanford and UC Berkeley, as well as certain companies such
as Microsoft and Symantec. Some early reports claimed the worm
avoids all .edu addresses, but this is not the case.

The original version, Mydoom.A, is described as carrying two payloads:
•
A backdoor on port 3127/tcp to allow remote control of the subverted PC (by putting its own
SHIMGAPI.DLL file in the system32 directory and launching it as a child
process of Windows Explorer); this is essentially the same backdoor used by Mimail.
•
A denial-of-service attack against the website of the controversial company SCO Group,
timed to commence 1 February 2004. Many virus analysts doubted if this payload would
actually function. Later testing suggests that it functions in only 25% of infected systems.

A second version, Mydoom.B, as well as carrying the original payloads, also targets the
Microsoft website and blocks access to Microsoft sites and popular online antivirus sites by
modifying the hosts file, thus blocking virus removal tools or updates to antivirus software.
The smaller number of copies of this version in circulation meant that Microsoft's servers
suffered few ill effects.
Timeline

26 January 2004: The MyDoom virus is first identified around 13:00 UTC, just before the beginning of
the workday in North America. The earliest messages originate from Russia. For a period of a few
hours mid-day, the worm's rapid spread slows overall internet performance by approximately ten
percent and average web page load times by approximately fifty percent. Computer security
companies report that Mydoom is responsible for approximately one in ten e-mail messages at this
time. Although MyDoom's denial of service attack was scheduled to begin on 1 February 2004, SCO
Group's website goes offline briefly in the hours after the worm is first released.

27 January 2004: SCO Group offers a US $250,000 reward for information leading to the arrest of
the worm's creator. In the US, the FBI and the Secret Service begin investigations into the worm.

28 January 2004: A second version of the worm is discovered two days after the initial attack. The
first messages sent by Mydoom.B are identified at around 14:00 and also appear to originate from
Russia. The new version includes the original denial of service attack against SCO Group and an
identical attack aimed at Microsoft.com beginning on 3 February 2004. Mydoom.B also blocks access
to the websites of over 60 computer security companies, as well as pop-up advertisements provided
by DoubleClick and other online marketing companies. The spread of MyDoom peaks; computer
security companies report that Mydoom is responsible for roughly one in five e-mail messages at this
time.

29 January 2004: The spread of MyDoom begins to decline as bugs in Mydoom.B's code prevent it
from spreading as rapidly as first anticipated. Microsoft offers US $250,000 reward for information
leading to the arrest of the creator of Mydoom.B.

1 February 2004: An estimated one million computers around the world infected with
MyDoom begin the virus's massive distributed denial of service attack—the largest
such attack to date.

3 February 2004: Mydoom.B's distributed denial of service attack on Microsoft begins,
for which Microsoft prepares by offering a website which will not be affected by the
worm, information.microsoft.com. However, the impact of the attack remains minimal
and www.microsoft.com remains functional. This is attributed to the comparatively low
distribution of the Mydoom.B variant, the high load tolerance of Microsoft's web
servers and precautions taken by the company. Some experts point out that the
burden is less than that of Microsoft software updates and other such web-based
services.

9 February 2004: Doomjuice, a “parasitic” worm, begins spreading. This worm uses
the backdoor left by Mydoom to spread. It does not attack non-infected computers. Its
payload, akin to one of Mydoom.B's, is a denial-of-service attack against Microsoft.

12 February 2004: Mydoom.A is programmed to stop spreading. However, the
backdoor remains open after this date.

1 March 2004: Mydoom.B is programmed to stop spreading; as with Mydoom.A, the
backdoor remains open.
Download