MYDOOM : The Most Expensive Virus Detected

Introduction                        

Mydoom is the most expensive computer worm affecting Microsoft Windows It is estimated to produce a financial loss of 38.5$ Billion. This worm was first detected on 26th January 2004.Mydoom is known to be the fastest spreading worm till 2017 followed by Sobig Worm and ILOVEYOU MyDoom family of worms is known to spread by various propagation techniques like network sharing, email, vulnerabilities exploitation or peer to peer network, major being the mail.
 
During the execution of Mydoom virus, the virus steals personal information like user name, email address, the domain name from the infected system and uses the information gathered to create more email address by adding some extra string at the beginning and then sends itself to those email address from their own SMTP server. Mydoom has the capability to Delete or pass certain Network and Security analyzing tools thus preventing early detection, prevention or deletion of these worms. In 2009 a variant of MYDOOM was used for DDOS attack against websites in the US and South Korea.
 
One of the most profound versions of MYDOOM virus is "MYDOOM.A". This variant is written in an assembly language which can be of 22,528 Bytes when compressed or 42,280 when decompressed.
 
MYDOOM.A has done following harms in past:-
 
  1. It is known to launch DOS attack on Website www.sco.com between date Feb 1 to Feb 12, 2004, by artificially creating a huge number of GET\HTTPS requests per 1024 milliseconds.
  2. On February 12, 2004, the worm finished its payload, ending its execution whenever it is activated.
  3. It has allowed hackers to gain remote access to network resources which file and creates a backdoor, opening the first available TCP port and this backdoor component allows to download and run an executive file and
  4. acts as a TCP proxy server.
  5. t opens the Windows Notepad and shows junk data.

Infection Strategies of the MYDOOM.A

  1. TASKMON.EXE: - This file is a true copy of the infectious worm.
  2. SHIMGAPI.DLL. This file creates a backdoor
  3. A MESSAGE in the Windows temporary directory is a text shown in Notepad the first time the worm infects.
A MYDOOM.A type variant has the following means of transmission:-
 
1. Transmission via Mail
The mail received is from a spoofed sender but to make the mail look more genuine the subject lines and message lines might be altered to make them look genuine.
The subject line may be like a test, hello, mail delivery system, status, mail transaction failed, server report etc.
 
2. Transmission via KaZaa
It creates copies of itself in the shared directory of KaZaa. These copies have a variable name consisting of random file names and a random extension:
Possible file names might be like WINAMP5,ICQ2004-FINAL,ACTIVATION_CRACK,STRIP-GIRL-2.0BDCOM_PATCHES,ROOTKITXP,OFFICE_CRACK,NUKE2004.
Possible extensions:PIF,SCR,BAT,EXE etc. When these files are run computer gets infected by MYDOOM.A.
 

Prevention Strategies

This kind of strong Malware has very low rate of detection hence normal Antiviruses Tools can't detect these. Along with normal AV, we also need certain kind of supplements which can perform real-time internet traffic scanning and generate a warning when any kind of potential threats are being detected. Also, provision should be made to stop all kind of hacker intrusions and data leakages should be prevented.
 
Authored By - Palash Agrawal
TCS Enterprise Security and Risk Management
 
Rate this article: 
Average: 1 (2 votes)
Article category: