In-Depth

First Worm Outbreak of the Year Packs a Wallop

MyDoom monopolizes Internet via e-mail harvesting, P2P file sharing, back door

• By Mathew Schwartz
• 01/29/2004

“In just a few hours this malicious program caused a global epidemic, infecting approximately 300 thousand computers throughout the world. This incident is the most serious outbreak so far this year, and shows every sign of breaking replication records set in 2003,” notes anti-virus provider Kaspersky Labs.

Anti-virus vendor Central Command estimates the virus, at its peak, accounted globally for one out of every nine e-mails sent.

MyDoom—there are already multiple versions—shows up as an encrypted e-mail attachment with file suffixes .exe, .cmd, .pif, .bat, .scr. The files can only be executed on Windows systems. The e-mail itself contains a spoofed sender (“from”) address, a random subject, and various kinds of body text. Typical examples of body text include such invitations to open the attachment as “the message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment,” and “Mail transaction failed. Partial message is available.”

If a user opens the attachment, MyDoom executes, copying itself to the hard drive. One copy aims for P2P services; look for a file at “c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr.” The other copy ends up at “c:\WINDOWS\SYSTEM\taskmon.exe.” In the Windows System directory, the worm also creates a 4,096-byte DLL for itself at “c:\WINDOWS\SYSTEM\shimgapi.dll.” To ensure startup when the system boots, it also creates a registry entry: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe.”

After copying and registering itself, MyDoom harvests e-mail addresses from the computer, mailing a copy of itself to all addresses found, then installing a backdoor on the victim’s machine on a TCP port (between 3127 and 3198), allowing remote access to and control of the computer by an attacker.

"This is a complex virus because it acts quickly and comes with so many varieties of attachments, making it more difficult for the average user to discern it is a virus,” says TippingPoint chief technology officer Marc Willebeek-LeMair.

Symantec notes the virus steers clear of government and military e-mail addresses, avoiding any .gov or .mil sites.

If an infected user also uses P2P software such as Kazaa, the virus appears to other P2P users, with the pseudonyms "winamp5", "icq2004-final," or various other names and file extensions.

Researchers also report MyDoom is set to launch a denial of service attack against http://www.sco.com, sometime between February 1 and 12. Such an attack would cause every infected computer to query the aforementioned URL, likely crashing the site or at least making it inaccessible. Given the target, experts suspect a coder unhappy with SCO --currently suing IBM for its use of Linux—to be the MyDoom author.

Yet MyDoom.B, the second version of the virus, might discount those theories. It’s set to attack both http://www.microsoft.com and SCO’s site come February 1. Anti-virus company F-Secure notes it “believes this may be a backdoor smokescreen for Spammers, instead of hacktivism around the Linux issue directed at SCO.”

Still, SCO did suffer a massive denial-of-service attack from an estimated 250,000 computers, knocking its Web site offline for the February 1 weekend. The company re-launched its Web site under a different URL (http://www.thescogroup.com) to circumvent the attack.

Links:

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R&VSect=T

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10098

http://www.f-secure.com/v-descs/mydoom_b.shtml