MyDoomMyDoom

By:By:

Philippe BissohongPhilippe Bissohong

BackgroundBackground

► MyDoom MyDoom W32.MyDoom@mm, Novarg, Mimail.R and W32.MyDoom@mm, Novarg, Mimail.R and

ShimgapiShimgapi

► Computer worm, unlike a virus it attacks a network Computer worm, unlike a virus it attacks a network and does not need to be attach to a software.and does not need to be attach to a software.

► Discovered by Craig Schmugar, a McAfee employee.Discovered by Craig Schmugar, a McAfee employee.

► Source unknownSource unknown Deliberate act of sabotage or vandalism against SCO GroupDeliberate act of sabotage or vandalism against SCO Group Most likely a Linux or an open source supporter retaliating Most likely a Linux or an open source supporter retaliating

against SCO group law suit and public statement against against SCO group law suit and public statement against LinuxLinux

TIMELINETIMELINE► January 26, 2004January 26, 2004: Fastest spreading email worm.: Fastest spreading email worm.

► February 1, 2004:February 1, 2004: With millions of computer affected, begins With millions of computer affected, begins the Distributed denial of service attack against SCO Group.the Distributed denial of service attack against SCO Group.

► February 2, 2004:February 2, 2004: SCO Group move their site to a different SCO Group move their site to a different addressaddress

► February 3, 2004:February 3, 2004: Beginning of Distributed denial of service Beginning of Distributed denial of service attack against Microsoft. But Microsoft remains functional.attack against Microsoft. But Microsoft remains functional.

► February 12, 2004:February 12, 2004: MyDoom is programmed to stop MyDoom is programmed to stop spreading but the infected files remains on your computer.spreading but the infected files remains on your computer.

► July 26, 2004:July 26, 2004: A MyDoom deviation shut down Google and A MyDoom deviation shut down Google and slow down other search engine like AltaVista and Lycos.slow down other search engine like AltaVista and Lycos.

MALWAREMALWARE

► Program to send a flood of traffic to a specific host Program to send a flood of traffic to a specific host for a period of timefor a period of time

► When executed, it copied itself in the window When executed, it copied itself in the window system folder, leaving a back door to hackers for system folder, leaving a back door to hackers for remote control of your system.remote control of your system.

► Add an entry in the registry so it is activated every Add an entry in the registry so it is activated every time window starts uptime window starts up

► Block HTTP access to certain site like Microsoft and Block HTTP access to certain site like Microsoft and other popular antivirus sites. Preventing update to other popular antivirus sites. Preventing update to anti-virus software or download of removal tools.anti-virus software or download of removal tools.

TRANSMISSIONTRANSMISSION

►Mainly transmitted via emailMainly transmitted via email From: Spoof sender that looks like somebody you From: Spoof sender that looks like somebody you

might know.might know. Subject : Subject : "Error", "Mail Delivery System", "Test" "Error", "Mail Delivery System", "Test"

or "Mail Transaction Failed"or "Mail Transaction Failed" Message: Blank or random error messages.Message: Blank or random error messages. Include AttachmentInclude Attachment

► If executed, steals your email addresses and also If executed, steals your email addresses and also generates random email to resend the worm.generates random email to resend the worm.

► Also transmitted through peer to peer(P2P) Also transmitted through peer to peer(P2P) file sharing. (kazaa)file sharing. (kazaa) Sneak in your share folder with the effort of Sneak in your share folder with the effort of

spreading that way.spreading that way.

UNDER CONTROLUNDER CONTROL

►Various things were done to keep the Various things were done to keep the attack under controlattack under control Alternative addresses were created by SCO Alternative addresses were created by SCO

Group and Microsoft.Group and Microsoft. Disinfection tools were created to detect Disinfection tools were created to detect

and remove MyDoom.and remove MyDoom. Worm expired on his own after February 12.Worm expired on his own after February 12. Anti-virus softwares updated their software.Anti-virus softwares updated their software. $250,000 reward was offer for information $250,000 reward was offer for information

leading to the worm creator.leading to the worm creator.

LESSONLESSON

► Install and Enable a Firewall.Install and Enable a Firewall.► Install and maintain your anti-virus software Install and maintain your anti-virus software

up-to-date.up-to-date.►Make sure your anti-virus checks every files Make sure your anti-virus checks every files

that is open.that is open.► Install security updates.Install security updates.►Never download, install or run an Never download, install or run an

attachment unless you trust the sender.attachment unless you trust the sender.►When in doubt or already infected, seek When in doubt or already infected, seek

help immediately.help immediately.

SOURCESSOURCES

► F-Secure internet securityF-Secure internet security http://www.f-secure.com/v-descs/novarg.shtmlhttp://www.f-secure.com/v-descs/novarg.shtml

►WikipediaWikipedia http://http://en.wikipedia.org/wiki/Mydoomen.wikipedia.org/wiki/Mydoom

► SophosSophos http://www.sophos.com/virusinfo/analyses/http://www.sophos.com/virusinfo/analyses/

w32mydooma.htmlw32mydooma.html

THETHE END END