The MyDoom Worm
The internet has introduced many self-replicating infections following the Morris Worm of 1988. Programs with this capability are called viruses and worms, a great threat to anyone surfing the internet these days. Some have been mild, others have been a nuisance, and a few have been down right destructive. A recent threat that has caused major problems is a unique computer worm by the name of MyDoom.
How the MyDoom Worm Works
The MyDoom worm was first discovered on January 26th, 2004. It goes by many different names depending on the anti-virus company, including Novag, Shimg or Mimail. Similar to most worms, MyDoom manipulates the email system, which has caused many innocent users to be blamed for distributing it. What contributed to the wide spread of the worm was the numerous security alerts sent out by anti-virus vendors. The alerting issue arouse from infected emails being detected by the Internet Service Provider or the anti-virus vendor's domain. Depending on an administrator's configurations, the anti-virus solution could send alerts to recipients and the alleged sender.
The problem is that the sender's name was falsified, causing a lot of innocent users to be accused of sending the worm, even if they were never infected. The situation with MyDoom only became more confusing and chaotic as the infection continued spread. Several anti-virus products distributed messages infected with the worm to the alleged sender, thus infecting them with MyDoom if they opened the email attachment. The amount of anti-virus alerts became so great that it quickly superceded the actual number of MyDoom emails. Some have even speculated that these alerts themselves were actually a form of DoS (denial-of-service) attack.
Other Functions of MyDoom
Incorporating anti-virus software wasn't MyDoom's only feature. The worm also executed DoS attacks of its own, particularly against SCO.com, a well known vendor the Unix operating system. Every second, every computer worldwide with MyDoom sent a GET request to the vendor's website in attempt to overload their server. This caused a lot of controversy, as the worm made it appear as if SCO.com was trying to many users.
How MyDoom is Distributed
MyDoom distributes itself via email and the popular peer-to-peer network known as KaZaZ. The email is typically spoofed with both a sender name and one of the following subject lines:
- Mail Delivery System
- Mail Transaction Failed
- Server Report Status
The file attachment comes with a CMD., EXE., PIF. or SCR file extension or it may come as an archived ZIP file.
The icon of the attachment may also appear to be associated with a TXT. file, though the attachment itself is executable. To hide its activity, MyDoom launches the Notepad application when executed, filling the victim's screen with random text characters. It then secretly drops an infected copy into the Windows System folder as an executable. MyDoom also searches the registry in search of KaZaA. If the program is installed, it drops an infected copy into the KaZaA shared folder using various executable extensions. This enables it to infect KaZaA users who download and unknowingly execute one of the files.
Symantec recommends using a special removable tool to rid an infected system of this worm opposed to an anti-virus scanner. This is because MyDoom drops so many malicious files throughout the registry and the system itself.