Mydoom
Mydoom | |
---|---|
Example of a randomly generated file opened by Mydoom after execution | |
Type | Computer worm |
Technical details | |
Platform | Windows 2000,Windows XP |
Written in | C++ |
Discontinued |
|
Mydoomwas acomputer wormthat targeted computers runningMicrosoft Windows.It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by theSobig wormandILOVEYOU,a record which as of 2024 has yet to be surpassed.[1]
Mydoom appears to have been commissioned by e-mailspammersto send junk e-mail through infected computers.[2]The worm contains the text message"Andy; I'm just doing my job, nothing personal, sorry,"leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
The worm appeared to be a poorly sent e-mail, and most people who originally were e-mailed the worm ignored it, thinking it was spam. However, it eventually spread to infect at least 500 thousand computers across the globe.[3]
Speculative early coverage held that the sole purpose of the worm was to perpetrate adistributed denial-of-service attackagainstSCO Group.25 percent of Mydoom.A-infected hosts targeted SCO Group with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by aLinuxoropen sourcesupporter in retaliation for SCO Group's controversiallegal actionsand public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.
Mydoom was named by Craig Schmugar, an employee of computer security firmMcAfeeand one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."[4]
Technical overview
[edit]Mydoom is primarily transmitted viae-mail,appearing as a transmission error, with subject lines including "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed" in different languages, including English and French. The mail contains anattachmentthat, ifexecuted,resends the worm to e-mail addresses found in local files such as a user's address book. It also copies itself to the "shared folder" ofpeer-to-peerfile sharingapplicationKazaain an attempt to spread that way.
Mydoom avoids targeting e-mail addresses at certain universities, such asRutgers,MIT,StanfordandUC Berkeley,as well as certain companies such asMicrosoftandSymantec.Some early reports claimed the worm avoidsall.eduaddresses, but this is not the case.
The original version,Mydoom.A,is described as carrying twopayloads:
- Abackdooronport3127/tcp to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as achild processofWindows Explorer); this is essentially the same backdoor used byMimail.
- Adenial-of-service attackagainst the website of thecontroversialcompanySCO Group,timed to commence 1 February 2004. Many virus analysts doubted if this payload would actually function. Later testing suggests that it functions in only 25% of infected systems.[5]
A second version,Mydoom.B,as well as carrying the original payloads, also targets the Microsoft website and blocks access to Microsoft sites and popular onlineantivirussites by modifying thehosts file,thus blocking virus removal tools or updates to antivirus software. The smaller number of copies of this version in circulation meant that Microsoft's servers suffered few ill effects.[6][7]
Timeline
[edit]This sectionneeds additional citations forverification.(June 2022) |
- 26 January 2004:The Mydoom virus is first identified around 8amEST(1300 UTC), just before the beginning of the workday in North America. The earliest messages originate from Russia. For a period of a few hours mid-day, the worm's rapid spread slows overall internet performance by approximately ten percent and averageweb pageload times by approximately fifty percent. Computer security companies report that Mydoom is responsible for approximately one in ten e-mail messages at this time.
- Although Mydoom's Denial of Service (DoS) attack was scheduled to begin on 1 February 2004,SCO Group's website goes offline briefly in the hours after the worm is first released. It is unclear whether Mydoom was responsible for this. SCO Group claimed it was the target of severaldistributed denial of serviceattacks in 2003 that were unrelated to computer viruses.
- 27 January 2004:SCO Groupoffers a US$250,000 reward for information leading to the arrest of the worm's creator. In the US, theFBIand theSecret Servicebegin investigations into the worm.
- 28 January 2004:A second version of the worm is discovered two days after the initial attack. The first messages sent by Mydoom.B are identified at around 1400 UTC and also appear to originate from Russia. The new version includes the original denial of service attack against SCO Group and an identical attack aimed at Microsoft beginning on 3 February 2004; however, both attacks are suspected to be either broken, or non-functional decoy code intended to conceal thebackdoorfunction of Mydoom. Mydoom.B also blocks access to the websites of over 60 computer security companies, as well as pop-up advertisements provided byDoubleClickand other online marketing companies.
- The spread of Mydoom peaks; computer security companies report that Mydoom is responsible for roughly one in five e-mail messages at this time.
- 29 January 2004:The spread of Mydoom begins to decline as bugs in Mydoom.B's code prevent it from spreading as rapidly as first anticipated. Microsoft offers US$250,000 reward for information leading to the arrest of the creator of Mydoom.B.
- 1 February 2004:An estimated one million computers around the world infected with Mydoom begin the virus's massive distributed denial of service attack—the largest such attack to date. As 1 February arrives in East Asia and Australia, SCO removes sco from theDNSaround 1700UTCon 31 January. (There is as yet no independent confirmation of sco in fact suffering the planned DDOS.)
- 3 February 2004:Mydoom.B's distributed denial of service attack on Microsoft begins, for which Microsoft prepares by offering a website which will not be affected by the worm, information.microsoft.[8]However, the impact of the attack remains minimal andmicrosoftremains functional. This is attributed to the comparatively low distribution of the Mydoom.B variant, the high load tolerance of Microsoft's web servers and precautions taken by the company. Some experts point out that the burden is less than that of Microsoft software updates and other such web-based services.
- 9 February 2004:Doomjuice, a “parasitic” worm, begins spreading. This worm uses the backdoor left by Mydoom to spread. It does not attack non-infected computers. Its payload, akin to one of Mydoom.B's, is a denial-of-service attack against Microsoft.[9]
- 12 February 2004:Mydoom.A is programmed to stop spreading. However, the backdoor remains open after this date.
- 1 March 2004:Mydoom.B is programmed to stop spreading; as with Mydoom.A, the backdoor remains open.
- 26 July 2004:A variant of Mydoom attacksGoogle,AltaVistaandLycos,completely stopping the function of the popular Google search engine for the larger portion of the workday, and creating noticeable slow-downs in the AltaVista and Lycos engines for hours.
- 23 September 2004:Mydoom versions U, V, W and X appear, sparking worries that a new, more powerful Mydoom is being prepared.
- 18 February 2005:Mydoom version AO appears.
- July 2009:Mydoom resurfaces in theJuly 2009 cyber attacksaffecting South Korea and the United States.[10]
See also
[edit]References
[edit]- ^"Security firm: MyDoom worm fastest yet".CNN.Time Warner. 2004-01-28.Archivedfrom the original on 2007-11-14.Retrieved2007-10-14.
- ^Tiernan Ray (2004-02-18)."E-mail viruses blamed as spam rises sharply".The Seattle Times.The Seattle Times Company.Archivedfrom the original on 2012-08-26.Retrieved2004-02-19.
- ^"Mydoom threat still high;Microsoft offers reward".NBC News.26 January 2004. Archived fromthe originalon August 5, 2021.Retrieved2022-06-29.
- ^"More Doom?".Newsweek.Washington Post Company.2004-02-03.Archivedfrom the original on 2009-03-02.Retrieved2007-10-28.
- ^"[Review] MyDoom Virus: The Most Destructive & Fastest Email Worm".MiniTool.Retrieved2023-10-12.
- ^"Mydoom virus starts to fizzle out".BBC News.BBC. 2004-02-04.Archivedfrom the original on 2004-04-16.Retrieved2004-02-04.
- ^"How to Thwart Renewed 'MyDoom' E-Mail Bug".ABC News.Archivedfrom the original on 2020-09-28.Retrieved2020-06-28.
- ^"Microsoft Information: MyDoom (Wayback Archive from 4 Feb 2004)".microsoft.2004-02-04. Archived from the original on February 4, 2004.
{{cite web}}
:CS1 maint: unfit URL (link) - ^"W32.HLLW.Doomjuice".Symantec Corporation. 2007-02-13. Archived fromthe originalon 2004-04-15.Retrieved2004-02-10.
- ^"Lazy Hacker and Little Worm Set Off Cyberwar Frenzy".Wired News.2009-07-08.Archivedfrom the original on 2009-07-10.Retrieved2009-07-09.
External links
[edit]- MyDoom and DDoS Attacks
- "Email-Worm.Win32.Mydoom.a".Viruslist.Kaspersky Lab. Archived fromthe originalon 2006-10-15.
- SCO Offers Reward for Arrest and Conviction of Mydoom Virus Author- SCO press release, 27 January 2004. Note the claim that the denial of service attack had already started at this date.
- "Mydoom".F-Secure Computer Virus Information Pages.F-Secure Corporation.
- "Win32.Mydoom.A".Security Advisor.Computer Associates International. Archived fromthe originalon 2005-04-10.Retrieved2005-04-30.
- Information about the Mydoom worm from Symantec
- "Computer Virus That Caused $50 Billion Damage".The InfoGraphics Show YouTube Channel.