Mydoom

from Wikipedia, the free encyclopedia
This article or the following section is not adequately provided with supporting documents ( e.g. individual evidence ). Information without sufficient evidence could be removed soon. Please help Wikipedia by researching the information and including good evidence.

Mydoom , also known as Novarg , Mimail.R, and Shimgapi , is a computer worm . It attacks Microsoft Windows systems and was first spotted on January 26, 2004 . It is the fastest and most widespread computer worm to date and has surpassed the record of the Sobig worm .

distribution

Mydoom is mainly transmitted via e-mail and presents itself to the recipient as a "transmission error during mail delivery". In the subject of the e-mails appear messages like "Error", "Mail Delivery System", "test", "Delivery Status Notification" or "Mail Transaction Failed". In the German variants there are also subject lines such as “Notification of the transmission status (failed)” and the like.

The executable file infected with the computer worm is attached to the e-mail . If the attachment is executed, the worm installs itself in the Windows operating system. The worm then searches local files and the Windows address book of the infected computer for e-mail addresses and sends itself to them. The worm also stores a copy of itself in the “Common Files” folder of the peer-to-peer data exchange program Kazaa .

When sending the infected emails, the worm excludes target addresses from various universities, such as Rutgers University , MIT , Stanford University and UC Berkeley, as well as various anti-virus software manufacturers such as Symantec or McAfee . But no copy will be sent to Microsoft either. Claims in previous reports that the worm would generally exclude all .edu addresses have been proven incorrect.

The original version of the worm ( Mydoom.A ) made the following changes on infected computers:

  • Setting up a so-called backdoor , which allows the infected PC to be operated remotely (by storing Mydoom's own SHIMGAPI.DLL file in the system32 directory and then calling it up as a sub-process of Windows Explorers);
  • Preparation of a so-called " Denial-of-service " attack against the website of the SCO Group , which begins on February 1, 2004 ; However, some virus analysts raised doubts about the correct functioning of the functions available for this purpose.

A second version of the worm ( Mydoom.B ) also addresses the Microsoft website and blocks access to the websites of Microsoft and known manufacturers of anti-virus programs. This is to prevent the anti-virus programs from downloading virus updates and program updates.

Initial analyzes suggested that Mydoom was a variant of the Mimail worm. It has been suggested that the same people are responsible for the two worms. However, the conclusions of subsequent analyzes invalidated these assumptions.

The worm contains the message “andy; I'm just doing my job, nothing personal, sorry, ” which led to speculation as to whether the programmer was paid to create the worm. Other speculations (especially the SCO Group) went in the direction that the worm came from the Linux / open source scene in order to take action against SCO's (so far unproven) allegations and related lawsuits, the use of Linux would infringe SCO's patents. Other speculations assume that the worm was launched by so-called UBE / UCE or spam senders in order to be able to use a large number of infected computers to send UBE / UCE.

The variant Mydoom.bb uses search engines to get new e-mail addresses. Subject lines such as “Error”, “Delivery failed” or “Postmaster” indicate the worm. The code is hidden in an attached file that can be called "Java.exe" or "Service.exe".

Chronological sequence

  • January 26, 2004 : The Mydoom worm was first sighted around 1:00 p.m. UTC. The first contaminated mails arrive from Russia . The rapid spread of the worm leads to an average of 10 percent slowdown in Internet traffic for a few hours and an average increased loading time of the websites of 50 percent. At the time, security experts reported that an average of every tenth incoming email was infected with viruses.
  • Although Mydoom's denial-of-service attack against the SCO Group is not due to start until February 1, 2004, the SCO Group's website is no longer accessible a few hours after the worm broke out. It is not known if Mydoom was responsible for this. In 2003, the SCO Group's website was repeatedly the target of various distributed denial-of-service attacks without computer viruses being responsible.
  • January 28, 2004 : A second version of the worm is discovered. The first e-mail with the new variant ( Mydoom.B ) arrives again from Russia around 14:00 UTC. The new version will alsoattack Microsoft from February 3, 2004. Mydoom.B also blocks access to the websites of over 60 anti-virus manufacturers and to so-called "pop-up" advertising windows from online marketing companies such as DoubleClick. Security experts report that almost every fifth incoming e-mail is now infected with viruses.
  • January 29, 2004 : Due to errors in the program code of the Mydoom.B worm, the speed of propagation decreases, contrary to predictions to the contrary. Microsoft is also offering a $ 250,000 reward for information about catching the programmer.
  • January 30, 2004 : A French variant of the worm is circulating on the Internet. The original mail is traced back to Canada.
  • February 1, 2004 : The first distributed denial-of-service attack against the SCO Group begins. The pages www.sco.com and www.sco.de can no longer be reached at this address as of January 31, 2004, 5:00 p.m. The SCO Group's web server can still be reached via http://216.250.128.21 . The official host names have beendeleted fromthe DNS server.
  • February 3, 2004 : The second denial-of-service attack against Microsoft begins. Due to the bug in the B variant of Mydoom and the associated lower prevalence, the attacks are limited and Microsoft can continue to operate its website.
  • February 6, 2004 : A new computer worm by the name of Deadhat is spotted for the first time. The new worm exploits the backdoor set up by Mydoomand infects Windows computers that are infected with the Mydoom worm inthis way. In doing so, it uninstalls the existing Mydoom worms, deactivates firewall and anti-virus software and tries to spread itself to other Windows PCs. With the help of a newly installed backdoor, attackers can upload any program to the Windows computer infected by Deadhat and run it there.
  • February 7, 2004 : The German website of SCO, www.sco.de, is available again. The main page www.sco.com is still offline.
  • February 12, 2004 : Mydoom.A is to stop its further distribution programmatically. However, the backdoor set up by Mydoom.A remains open.
  • March 1, 2004 : Mydoom.B is to stop its further distribution programmatically. But here too the backdoor should remain open.
  • July 27, 2004 : Mydoom.M spreads again as an attachment in error mails. It searches the hard disk for e-mail addresses, sends itself to them and asks major search engines for further addresses in this domain .

Web links