By Robert Vamosi
MyDoom is the fastest-spreading Internet worm to date
(1/26/04; revised 02/01/04)
MyDoom.a is a mass-mailing worm that masquerades as a test message. There is now a second version, MyDoom.b. MyDoom.a (w32.mydoom@mm, also known as Novarg, Shimgapi, Shimg, and MiMail.r) and MyDoom.b (w32.mydoom.b@mm) take advantage of the ZIP file format's ability to pass through e-mail filters. They also use the file-sharing app Kazaa to spread. Within the first few hours, MyDoom.a spread quickly around the world; in contrast, MyDoom.b is not spreading as quickly. These two worms affect only Windows users, not those using Macintosh, Linux, or Unix. MyDoom.a contains a payload that launches a denial-of-service (DoS) attack the Web site www.sco.com, and MyDoom.b launches a DoS attack on the Web site www.microsoft.com. MyDoom.a will self-terminate on February 12, 2004; MyDoom.b will terminate on March 1, 2004. Because both versions of MyDoom spread primarily via e-mail and could severely slow or shut down e-mail servers with excess traffic, these worms rate a 7 on the CNET Virus Meter.
How it works
Both versions of MyDoom arrive primarily as e-mail. The subject line reads "Mail Delivery System," "Test," or "Mail Transaction Failed." The body text reads: "The message contains Unicode characters and has been sent as a binary attachment." The attached files may include one of the following:
When the worm is executed, MyDoom adds the following to the Windows/System subdirectory:
If you are running the file-sharing program Kazaa, MyDoom will add a file named activation_crack.scr in this location: C:\Program files\Kazaa\My Shared Folder\.
In addition to the above, MyDoom.b overwrites the hosts file on infected systems, denying users access to most major antivirus software sites.
Both versions of MyDoom are known to open Windows Notepad and display garbage text; in addition, security companies iDefense and McAfee are reporting that MyDoom opens ports 3127 through 3198 to listen for commands from a remote attacker.
On February 1, MyDoom.a successfully launched a denial-of-service attack on SCO.com, shutting down the Linux vendor's Web site. On February 3, MyDoom.b will attempt to shut down Microsoft.com.
If you receive MyDoom, do not open the attached file. Delete the e-mail message.
All of the major antivirus software companies have updated their signature files to include these worms. This will stop the infection upon contact and in some cases, will remove an active infection from your system.
Read the latest News.com coverage here.