The MyDoom worm: history, technical details, and defense

What is MyDoom?

While many people call it a virus, technically MyDoom is a worm, as it can operate and spread independently from the host.

MyDoom (also known as Novarg, W32.MyDoom@mm, Shimgapi, and Mimail.R) spreads through malicious email attachments. After the victim clicks on the attachment, the worm gets inside their operating system and sends emails to all the victim’s contacts. When people see a familiar name, they are more likely to open a suspicious file.

At the time of discovery in 2004, you could also get MyDoom by using the file-sharing platform Kazaa, which is no longer operating.

MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.

Technical details

MyDoom arrives with one of the following subject lines: test, hi, hello, mail delivery system, mail transaction failed, server report, status, or error. According to cybersecurity experts, the malicious email attachments typically contain pif, scr, exe, cmd, bat, htm, txt, doc, and zip extensions.

When MyDoom is executed, it copies itself to the %system% or %temp% directories. The worm also creates a registry value in one of the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This causes the worm to start whenever you launch your Windows computer. MyDoom also deploys a backdoor Trojan, allowing unauthorized access to your system, and copies itself to P2P to spread through downloads. After all of this is done, an infected device turns into a so-called zombie — a remotely controlled machine that can be used in DDoS attacks.

Variants

The first version of MyDoom was called MyDoom.A, followed by MyDoom.B, which additionally modified the host file of an infected computer to prevent the use of antimalware software.

However, MyDoom.B did not spread as fast as the previous variant. When it launched a DDoS attack against Microsoft in 2004, the botnet was not big enough to take down the site.

A bunch of other MyDoom variants – C, F, G/H, U, V, W, X – were spotted in the wild later, but none achieved the notoriety of the A variant.

The History of MyDoom

When was MyDoom popular?

MyDoom was first spotted on January 26, 2004, when internet users around the world started to get emails with a suspicious attachment. Most people in those days didn’t have a clue about phishing emails, social engineering, or hacking attacks. No wonder many of them clicked on a link and helped spread MyDoom like wildfire.

The malicious email contained the message “I’m just doing my job, nothing personal, sorry.” The spread of MyDoom was so fast that it slowed the global internet by ten percent on the day of its launch. One in ten email messages in the world at the time of the attack was associated with this notorious worm.

On January 28, MyDoom reached its peak and then started to slowly decline. However, the virus was slowed down not by cybersecurity experts but by its developers, as variant B had bugs.

The biggest attack

On January 26, MyDoom took down Google, preventing people from using Google Search. Another popular search engine, Yahoo, was slowed down but managed to keep operating.

MyDoom also blocked access to websites of over 60 security companies, so users couldn’t download antivirus software to clean their computers. Tech industry leaders like Microsoft offered a $250,000 bounty to anyone who could track down the attackers. However, the culprits were never found.

Estimates say that MyDoom caused $38 billion in damages, making it one of the worst viruses ever. Security researchers believe MyDoom has infected around 50 million computers worldwide.

Is MyDoom still active?

While more than 18 years have passed since the launch of MyDoom, the worm is still active and running. However, it is contained in just over 1% of malicious emails worldwide, mostly those sent by spammers originating from China and the US.

MyDoom hasn’t changed its tactics throughout the years: once the worm infects a computer, it starts searching for other email addresses through which to distribute itself.

How to tell if a device is infected with MyDoom

If you have a feeling that your computer may be infected with MyDoom or any other type of malware, pay attention to its performance. However, MyDoom is considered to be a sophisticated worm, so it can be hard to notice any difference for non-professionals. Here’s what you need to look for:

• Your computer has become slower than usual.
• Unexpected pop-ups appear.
• The computer fan is constantly running.
• The default homepage changes.
• You notice toolbars in your browser you don’t remember adding.
• Mass emails are being sent from your account.
• Your security software is disabled for no reason.

More attentive readers can also check for specific signs attributed to MyDoom:

• TCP ports are opened. MyDoom.A opened ports in the range of 3127-3198. Other variants opened ports such as 80, 139, 445, 1080, 8080, and 10080. The virus needs an open port to establish a backdoor and take control over the infected computer.
• A random .txt file appears. Some variants of MyDoom create a .txt file containing random data.
• The host file is overwritten. MyDoom can overwrite the host file, so you can’t use your antivirus software.

How to prevent yourself from being affected by MyDoom

• Don’t open malicious attachments. Always closely inspect every email you receive, and never open an attachment unless you are 100% sure it’s legitimate. If you can’t tell if an email is safe, verify it with the sender.
• Update your software. Running your computer on outdated software is a bad idea, so always update your software on time. This will keep viruses away and mitigate the risk of your computer getting infected.
• Install antivirus software. While Windows machines have a native antivirus installed, you can also get third-party software to enhance your security. We also recommend using our own Threat Protection feature. It scans downloads for potential malware, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.
• Block ports. Since MyDoom targets specific TCP ports, you can block them and avoid trouble.