Mydoom

From Wikinfo

Mydoom, also known as Novarg, Mimail.R and Shimgapi, is a computer worm which spread in January of 2004 affecting computers running Microsoft Windows; it became the fastest spreading email worm ever (as of January 2004), exceeding previous records set by the Sobig worm.

Mydoom is primarily transmitted via e-mail, appearing as a transmission error (with subject lines including "Error," "Mail Delivery System," "Test" or "Mail Transaction Failed."). The email contains an attachment that, if executed, resends the worm to email addresses found in local files such as a user's address book. It also copies itself to the "shared folder" of peer-to-peer file-sharing application KaZaA in an attempt to spread that way.

The worm is described as carrying two payloads:

• A backdoor, to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as a child process of the Windows Explorer);
• A denial of service attack against the website of the controversial company SCO Group, timed to commence 1 February 2004. Some virus analysts have expressed doubt about whether this payload actually functions. [1]

Early documentation of the worm erroneously stated that it did not target email addresses in the .edu domain, used chiefly by US and Canadian universities and research institutions. In fact, Mydoom does target .edu addresses, but avoids those of certain institutions, such as Rutgers and MIT, as well as certain companies such as Microsoft and Symantec.

Timeline

• 26 January 2004: The Mydoom virus is first identified around 8 a.m. EST (1300 UTC), just before the beginning of the workday in North America; the earliest messages originate from Russia. For a period of a few hours mid-day, the effects of the worm's rapid spread slow overall internet performance by approximately ten percent and slow average web page load times by approximately fifty percent. Computer security companies report that Mydoom is responsible for approximately one out of ten emails message sent.
  
  Although Mydoom's denial of service attack was scheduled to begin on 1 February 2004, SCO Group's website goes offline briefly in the hours after the worm is first released. It is unclear whether Mydoom was responsible for this. SCO Group's site was allegedly the target of several distributed denial of service attacks in 2003 that were unrelated to computer viruses.

• 27 January: SCO Group offers a US $250,000 reward for information leading to the arrest of the worm's creator. In the United States, the FBI and the Secret Service begin invesigations into the worm.

• 28 January: A second version of the virus is discovered two days after the initial attack. Mydoom.b includes the original attack against SCO Group and an identical denial of service attack aimed at Microsoft.com, though both of the denial of service attacks are suspected to either be broken, or non-functional decoy code, intended to conceal the backdoor aspects of Mydoom. Mydoom.b also blocks access to the websites of over 60 computer security companies, making it more difficult to download software updates to combat the virus.
  
  Computer security companies report that the Mydoom worm is responsible for roughly one out of five email messages sent on the internet.

• 1 February 2004: Mydoom's distributed denial of service attacks are scheduled to begin.

• 12 February: Mydoom is programmed to stop spreading. However, the backdoor remains open after this date.

External links

• Mydoom/Novarg entry at Viruslist.com
• SCO Offers Reward for Arrest and Conviction of Mydoom Virus Author - SCO press release, 27 January 2004. Note the claim that the denial of service attack has already started.

References

• Adapted from the Wikipedia article, "Mydoom" http://en.wikipedia.org/wiki/Mydoom, used under the GNU Free Documentation License