MyDoom☉ Ian Axelrod☉ Chris Mungol☉ Antonio Silva☉ Joshua Sole☉ Somnath Banerjee

----------------------------------------------Group 5CS4235/8803Spring 2010

What happened? • Self propagating email based virus (worm)

• Claimed to be the fasted spreading email virus

• Speculated to have originated in Russia

• Aliases: W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi

• First sighted: 26 January 2004

• MyDoom.A & MyDoom.B spread to over 1 Million computers

in preparation for a DDOS attack on SCO and Microsoft

• MyDoom.A & MyDoom.B stop spreading

• Doomjuice appears in backdoors left by MyDoom .A & .B

• variants of Mydoom attack Google, AltaVista and Lycos

Highlights• The MyDoom computer virus knocked out SCO

Group's Web site with a massive DOS attack

• Microsoft was able to thwart an attack on its Windows Update site by eliminating the specific Web address the MSBlast worm targeted. The software maker killed off the site's previous address.

• The White House stymied a denial-of-service attack aimed at its Web site by diverting a deluge of data, sent by systems infected with the worm, to a different address.

Technical Information (Analysis)

• When Win32/Mydoom worm is executed, it copies itself to the %system% or %temp% directory. The worm also creates a registry value in one of the following keys:• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run• HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run• This value causes the worm to start when Windows is

started. 

• Win32/Mydoom creates a backdoor Trojan in %system% or %windows% directory. The backdoor Trojan allows unauthorized access to the infected system. The worm may load and execute the backdoor Trojan. The worm may modify the default values of the some registry keys to reference the backdoor Trojan; this causes Explorer.exe to load and execute the Trojan when the system restarts.

Technical Information (Analysis)

• Win32/Mydoom may copy itself to the share folder of the Kazaa P2P application, in order to spread through P2P networks.

• Win32/Mydoom may copy itself to random directories on an infected system. 

• Win32/Mydoom collects e-mail addresses from files on an infected system and sends e-mail with an attached copy of the worm to the addresses. This function is the primary propagation method the worm uses.

Symptoms• Some variants overwrite the hosts file, which may block

access to some Microsoft and antivirus vendor Web sites. The overwritten hosts file may look similar to the screenshot:

Symptoms

• Some variants create a text file containing random data that looks similar to the screenshot

Impact?• At a point the worm was accounting for 20 percent

to 30 percent of worldwide e-mail traffic

• Slowed Internet performance by 10%

• Web-page load time down by 50%

How did it Succeed?

• Used misleading text

• Brute force approach by

intruding your address

book

• Text icon used

• Was released in the

middle of the North

American workday

Aftermath?• Sparked new versions

• Version U, V, W, X, and

AO

• Expensive repurcussions

• MyDoom 2009 ?

Keeping systems safe from the MyDoom

virus

• System Administrators

• Users

• Filter network traffic- blocking specific inbound and outbound traffic to ports 1080,3128, 80, 8080, 10080

• If filtering ports are not feasible, try to block all network traffic that is not required for normal operation

• Symptoms of viruses or specifically the myDoom virus may be found by detecting increased CPU load and/or higher than normal SMTP traffic.

• Scan e-mails internally for viruses. Use of Mail Transfer Agents (MTAs) to block e-mail with W32/MyDoom.B signatures

• Disable automatic response messages:. Important that responses do not return the infected attachment

System Administrator

Source: US-CERT

Users• Always trust the end user of any attachment or program received.

• Email users should be circumspect of unwarranted attachments and Peer-to-Peer (P2P) users should be wary of .exe files

• Always run and maintain an antivirus tool or application. Updating antivirus app will guarantee extra security with new strains of viruses.

• Almost all antivirus vendors offer a MyDoom removal tool.

Bottom line: Do not open attachments from users you do

not know or trust!Source: US-CERT

More Info. In TextbookChapter 3Section 3.3Viruses and Other Malicious Code

• Why worry about malicious code?

• Difference between virus, worm,

and other malevolent programs.

• The technical aspects of viruses.

• The first malicious code and it’s

implications.

Sources• Wikipedia• CNET• HowStuffWorks.com• US-CERT• Google images • Microsoft.com

Thank You