Mydoom

Mydoom is reported to be the second most damaging worm ever released, topped only by Sobig. It also set records for spreading ability.

Transmission
Mydoom can be transmitted through email or file sharing with Kazaa. To be transmitted through Kazaa, the user must download the worm from an infected computer on the Kazaa network.

Mydoom also arrives in an email address with a spoofed sender address with eight possible subject lines:


 * test
 * hi
 * hello
 * Mail Delivery System
 * Mail Transaction Failed
 * Server Report
 * Status
 * Error

The body of the email could be one of three possibilities:


 * Mail transaction failed. Partial message is available.
 * The message contains Unicode characters and has been sent as a binary attachment.
 * The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The attachment has a generic name and two file extensions in an attempt to fool the user into thinking it is some sort of document. The file name has nine possibilities:


 * document
 * readme
 * doc
 * text
 * file
 * data
 * test
 * message
 * body

The first fake file extension has three:


 * htm
 * txt
 * doc

The second real file extension has six:


 * bat
 * cmd
 * exe
 * pif
 * scr
 * zip

The .zip version will be an actual .zip file with a copy of the worm bearing the same name as the .zip. If it has an .exe or .scr extension, the attachment will have an icon similar to that of a .txt file in Windows XP.

Infection
When Mydoom is executed, it copies itself to the Windows system folder as Taskmon.exe (which is a legitimate file, though only when found in the Windows folder). It also creates the file Shimgapi.dll in the system folder.

This file is a backdoor trojan that opens TCP listening ports ranging from 3127 to 3198 and can download and execute arbitrary files. A file named Message, which contains random letters when opened with Notepad is placed in the Temp folder and opened in Notepad.

The worm creates or modifies several registry keys. It adds the value "TaskMon = \System Folder\taskmon.exe to two keys, one a Local Machine and the other a Current User registry key, both ensure that the worm will run every time the computer is started. It cradds the value "(Default) = \(System Folder)\shimgapi.dll" to a root registry key that ensures shimgapi.dll will be run by Internet Explorer when the web browser is run. It also creates a Local Machine and current user version of another registry key.

Mydoom then searches files with the following extensions for email addresses:


 * adb
 * asp
 * dbx
 * htm
 * php
 * pl
 * sht
 * tbb
 * txt
 * wab

The worm then sends itself as an email using its own SMTP engine. The worm also contains strings with which it attempts to randomly generate an email address. The strings are the following mostly common names:


 * adam
 * alex
 * alice
 * andrew
 * anna
 * bill
 * bob
 * brenda
 * brent
 * brian
 * claudia
 * dan
 * dave
 * david
 * debby
 * fred
 * george
 * helen
 * jack
 * james
 * jane
 * jerry
 * jim
 * jimmy
 * joe
 * john
 * jose
 * julie
 * kevin
 * leo
 * linda
 * maria
 * mary
 * matt
 * michael
 * mike
 * peter
 * ray
 * robert
 * sam
 * sandra
 * serg
 * smith
 * stan
 * steve
 * ted
 * tom

The worm will attempt to guess the name of the receiving server by appending the following strings to the domain name:


 * mx.
 * mail.
 * smtp.
 * mx1.
 * mxs.
 * mail1.
 * relay.
 * ns.

It will avoid sending itself to domain names with the following strings:


 * acketst
 * arin.
 * avp
 * berkeley
 * borlan
 * example
 * fido
 * foo.
 * fsf.
 * gnu
 * .gov
 * gov.
 * hotmail
 * iana
 * ibm.com
 * icrosof
 * ietf
 * inpris
 * isc.o
 * isi.e
 * kernel
 * math
 * .mil
 * mit.e
 * mozilla
 * msn.
 * mydomai
 * nodomai
 * panda
 * pgp
 * rfc-ed
 * ripe.
 * ruslis
 * secur
 * sendmail
 * sopho
 * syma
 * tanford.e
 * usenet
 * utgers.ed

It will also avoid sending itself to any user names with the following strings:


 * abuse
 * anyone
 * bugs
 * ca
 * contact
 * feste
 * gold-certs
 * help
 * info
 * me
 * no
 * noone
 * nobody
 * not
 * nothing
 * page
 * postmaster
 * privacy
 * rating
 * root
 * samples
 * secur
 * service
 * site
 * spm
 * soft
 * somebody
 * someone
 * submit
 * the.bat
 * webmaster
 * you
 * your
 * www

It will avoid email addresses with the following strings, regardless of whether the string is in the user or domain name:


 * admin
 * accoun
 * bsd
 * certific
 * google
 * icrosoft
 * linux
 * listserv
 * ntivi
 * spam
 * support
 * unix

It will copy itself to the Kazaa download folder under the following file names:


 * winamp5
 * icq2004-final
 * activation_crack
 * strip-girl-2.0bdcom_patches
 * rootkitXP
 * office_crack
 * nuke2004

Between 2004.02.01 and 2004.02.12 the worm tries to perform a DoS attack on the website www.sco.com. It creates 64 threads, which make an HTTP GET request from a random port on the infected computer to port 80 of www.sco.com. There is a 25% likelihood that the attack will come from any given infected machine because of the way Mydoom verifies the date.

Mydoom.B
Mydoom.B launches a Denial of Service attack against both SCO and Microsoft. It begins its attack on www.sco.com on February 01, using 7 threads to constantly send a GET request to the website. It begins its attack on www.microsoft.com on February 03 and uses 13 threads.

Effects
Email monitoring service MessageLabs blocked 7.4 million copies of Mydoom.A. Mydoom.A had infected about one out of every 41 email messages. It accounted for 20-30% of worldwide email traffic shortly after its release to the wild. Major websites moved temporarily or permanently to new addresses to avoid the DoS attack. F-Secure antivirus expert Mikko Hypponen called Mydoom the "the worst e-mail worm incident in virus history". MessageLabs ranked it number 5 on its list of most active worms.

SCO moved its website www.sco.com to www.thescogroup.com in response to the amount of requests sent to the site. The group offered a $250,000 reward for information leading to the capture and conviction of the creator of the Mydoom.A worm. Microsoft offered a similar reward for the creator of the Mydoom.B worm, which attacked their site.

Background
The SCO Group, which owns the rights to Unix, sued several vendors and supporters of Linux, claiming that some of its proprietary code was used in the system. The company sued Novell (owners of SuSE), AutoZone and Daimler-Chrysler and was sued by Red Hat and IBM. This action caused much anger in the open source community, causing many to suspect they were involved. Many open source groups around the world denied this and condemned the creation of viruses and worms.