Some estimates have said that MyDoom currently accounts for anywhere from 1/12 to 1/3 of all email traffic. Due to many networks being configured to automatically reply to email containing malware, even though odds are good that the "Sender" is a spoofed address, there are also a significant number of mis-guided replies clogging up mail servers which may raise the amount of email traffic attributed to this threat.
What do you need to know about this threat? Primarily you need to stick to the security basics- keep your machine patched and updated, keep your antivirus software current and don't open file attachments on emails unless you are positive you know what they contain. If everyone would do those three things this virus might not be getting the attention it is currently.
Many corporate networks are set to automatically strip most, if not all, executable file attachment types. This means that file attachments such as COM, EXE, SCR or PIF files will never get through. This virus also uses ZIP files though which are commonly allowed through firewalls and corporate mail servers.
In a nutshell, the virus / worm has the following characteristics:
- Email "Sender" address is spoofed
- Email Subject is random but common ones are
- Hi
- Hello
- Server Report
- Mail Delivery System
- The Email Body varies and is designed to trick the user into opening the attachment. Some examples are:
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
- File attachment is often a ZIP file which contains an executable file such as:
- message.zip
- file.scr
- hello.cmd
If the attachment is executed the machine will be infected and a variety of malicious actions will occur including:
- Copies itself into Kazaa peer-to-peer network shared files directory if it exists
- Opens a TCP port as a backdoor to accept specially crafted TCP packets designed to trigger other malicious actions
- On Feburary 1 infected machines will initiate a denial-of-service attack against the SCO web site by flooding their web servers with requests
- Contains its own SMTP engine to allow it to propagate itself via email
The MyDoom.B variant which arrived a couple of days later is quite similar but offers a few differences such as:
- Adds Microsoft.com as well as SCO as a target for a denial-of-service attack
- Adds additional TCP ports that are opened to accept specially crafted malicious TCP packets
- Overwrites the computer's Hosts file so that the computer will be unable to reach a variety of security and antivirus web sites.
Make sure your antivirus software is updated and that your system is patched and updated and do NOT open file attachments if they are even remotely suspicious or unknown.
For more information see the links next to this article.