Mydoom Worm I. Profile Also known as: W32.MyDoom@mm, Novarg, Mimail.

R and Shimgapi Affects: Microsoft Windows Computers First Detected: January, 2004 Place of Origin: Russia(?) Author: Unknown Claim to Fame: Very fast spreading e-mail worm II. How it Spreads The worm spreads by the form of files attached to infected email messages. It also spread through the file sharing network, Kazaa. The email has the subject lines including "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed" in different languages, including English and French. If the attached infected file is executed, it resends the worm to email addresses in the users address book. In the case of the Kazaa network, it copies itself to the shared files folder. III. Installation After the infected file is launched, Windows Notepad opens and shows a jumbled file with symbols. During installation, the worm copies itself under the name taskmon.exe to the Windows system directory, and registers this file in the system registry auto-run key. The worm creates a file shimgapi.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry. Shimgapi.dll will therefore launch as a procedure linked to Explorer.exe. The worm also creates a file called Message in the temporary directory (usually in windir\temp). This file contains a random selection of symbols. So that the worm can identify itself in the system, it creates several additional keys in the system registry: While running it also creates a unique identifier, SwebSipxSmtxSO. IV. Effects Shimgapi.dll is a proxy-server; the worm opens a TCP port between 3127 and 3198 on the infected machine in order to receive commands. The backdoor function allows the creator of the worm to gain full access to the system. In addition to this, the backdoor can execute random files downloaded from the Internet. The worm also contains a function which enables it to carry out Denial of Service attacks on the site www.sco.com. This function should activate on the 1st February and continue to work until 12th Febuary 2004. The worm will send a GET request every millisecond to port 80 of the site being attacked, which under the conditions of a global epidemic may lead to total breakdown of the site. The worm has different versions, the A version was the one that caused problems for sco.com, and counted for the majority of the worm. The B version tried to

do the same to Microsoft.com, however there werent many infections found of this version of the worm. Other versions appeared, however infections were not as bad as they were in 2004. The last resurface of the worm was during July 2009, and it affected South Korea and the USA. V. Decline The worm caught the publics eye as it was the fastest email spreading virus of the time, making people more aware of how it spreads and the symptoms of having a machine being infected. The virus relied on the gullibility of people, so once the public was informed, the spread was lessened and eventually stopped, especially when antivirus companies pitched in to detect the infection even before it spreads. VI. References http://news.bbc.co.uk/2/hi/technology/3459363.stm http://www.f-secure.com/v-descs/novarg.shtml http://www.sptimes.ru/index.php?action_id=2&story_id=12138 http://www.securelist.com/en/descriptions/old22686