Malware History: MyDoom

MyDoom, sometimes also called Novarg, W32.MyDoom@mm, Shimgapi, and Mimail.R is a worm type malware that infects Windows PCs. After infecting machines, the malware gets access to all files and distributes itself to the email contacts of the victim. It also features a countback timer that starts DOS attacks on specific websites.

Being first observed in January of the year 2004, the malware spread in mere hours, causing massive damage. In fact, it received the title of the most damaging and the quickest spreading malicious program to ever exist, surpassing even ILOVEYOU. At the peak of its popularity, MyDoom accounted for three-thirds of all spam emails.

The worm caused over 38 billion dollars worth of damage throughout its lifespan. In 2004, MyDoom managed to disrupt the operation of several leading search engine companies. Even Google was unable to protect itself, displaying error messages instead of search results.

What is MyDoom?

This malware is one of the better-known cyber threats out there. It has bitten all distribution speed records and at its most active state managed to reduce all internet traffic by up to 10%. What’s more, by different estimates, at one point it was generating from 16% to 25% of emails in the world.

And in 2011 experts announced MyDoom to be the malware to cause the most monetary damage. Many infected businesses had to temporarily stop operation after getting infected. 

As a result, the downtime cost us as much as 38 billion US dollars.

MyDoom used email spam to distribute itself. Once it gets into a PC, the worm can identify email addresses by looking in different files, and use the infected Windows Machine to send itself further. Also, the malware tries to trick victims into opening files in different ways. It can use a notification of unsuccessful message delivery, or employ words such as “hello”, “hi” in the subject line. 

This is the simplest form of bait, but one that is still relatively effective, even after so many years.

Once researchers got their hands on the first sample of MyDoom, they uncovered that the threat actor planned a DOS attack on the servers of SCO Group — a company claiming they owned the rights for Linux. 

This first iteration of the malware carried the name I-Worm.Mydoom.a. Only one day after the release of the .a version, the worm was updated. The new iteration was called I-Worm.Mydoom.b. 

This new form of the worm was capable of blocking the update process for the most popular antivirus software. Also, it added a new DOS victim — researchers found out that mydoom.b is supposed to attack Microsoft Servers soon after the SCO Group campaign.

The two attacks were carried out as planned. Unfortunately, SCO servers collapsed, but Microsoft managed to avoid the worst by rerouting part of the user traffic to subdomains. After these incidents, the activity of MyDoom slowly began to fade.

MyDoom Creators.

MyDoom was first observed in Russia. Though, this does not mean for certain that it was developed there. The only clue that we have is the phrase “andy; I’m just doing my job, nothing personal, sorry.”

Initially, it was thought that the authors could develop the threat as a response to the actions of SCO. The company caused a lot of tension by making their claim on Linux code. The “open-source” community took a different stand, pointing out that open-sourced programs should not belong to anybody. After all, they are by definition “open sourced”. 

As such, the company’s actions could seem like a viable provocation for the virus creator. The author could have been offended by the company’s position. At least, this was the case until the second version of the malware was released. This time, the worm targeted Microsoft, which reduced the merit of the original theory. 

The lack of information about the MyDoom author, or authors, for that matter, sparked a lot of speculation.Darling McBride, SCO Group CEO stated that the company has an idea about the people behind the attack. They offered a $250,000 reward in exchange for data that could contribute to the arrest of the threat actors

The open-source community members weighed in with their own input. This community has always been known for its sparking of various conspiracy theories, and this incident was no exception.

Some expressed their belief that SCO Group itself had something to do with the attack. A user, known as “Duke of Shadows” pointed out that by becoming a victim of a publicized malware attack, the organization could blame the “open-source” community and benefit. “Who else can benefit from a malware that was detected at such an early stage?”, concludes “Duke of Shadows”.

Bruce Perens, a guru in the open-source software community supported the same point of view. According to Perens, the SCO Group could set up the open-source followers to try and save the company’s reputation. 

“We proved that the SCO Group lied under oath in court. They won’t stop attacking their own website to drug their opponents through the mud.”,  Perens wrote in a blog post on his website. 

In another speculation, Perens suggested that spammers could be MyDoom creators. According to him, an organization involved in the creation and distribution of an intrusive advertising campaign could be unhappy with the way the “open-source” programmers block their ads. “There is a high probability that this malware was developed to cloud the reputation of Linux developers by spammers, SCO, or another party”.

Note, that MyDoom does not send itself to email addresses with .gov, .mil, or .edu extensions. Presumably, the attackers fear that government agencies can discover and track the whereabouts of the source. 

However, these or any other explanations that exist are not supported by hard facts. In the cybersecurity field, most professionals attribute MyDoom to a member of the “open-source” community who attacked due to an emotional impulse, rather than logic.

Experts believe that at this point the only way to find out who created this malware is to wait for the author to make a mistake and give some kind of a lead. For example, the author could release a bragging post on one of the underground forums.

But for now, the true identity of MyDoom creator remains a mystery: the threat actor didn’t give himself away in the last 16 years.

MyDoom Activity.

In 2019, experts from Palo Alto Networks released a report, which suggested that the 15-year old worm is still active. What’s more, its popularity is actually on the rise.

The report states that around 1.1% of all spam emails distributed from 2015 to 2018 contained nothing other than the MyDoom worm. The email campaigns targeted companies from a wide range of industries from technology to retail and beyond.

In the first half of 2019, MyDoom actually showed a little growth. The frequency of infections was on the rise, and experts reported more samples being spotted in the wild, with most of the detections happening in China.

Conclusion

MyDoom is a perfectly autonomous malware. It can continue spreading forever as long as people keep opening email attachments without giving it a thought. In a way, we can compare MyDoom with Influenza. We live with this disease side by side but there is always a chance that it will start another pandemic.

It is important to learn from stories like these. The rampage of MyDoom started with just one person carelessly downloading an infected attachment. The importance of checking suspicious files just can not be stressed enough.

Thankfully, ANY.RUN malware analysis service is not just for complex analysis of malicious files. You can also use our service to check suspicious emails by uploading them into the cloud. The whole process only takes a few minutes and allows us to avoid countless potential problems associated with a network compromise. 

Let’s learn the history of malware together and stay vigilant online!