Urgent Virus Alert: MyDoom

26 January 2004

About the Virus

A new virus, MyDoom (also called Novarg by some vendors, Mimail.R by others), is erupting on the Internet right now. Network Associates received 19,500 copies of the virus from over 3,400 email addresses in a single hour Monday afternoon, an extremely high rate. MyDoom seems to have been launched today, around 1:00 PM Pacific Standard Time. The virus presents a well-worded message advising that its attachment was necessary because a technical error prevented normal email transmission, a more clever social-engineering ploy than the garden variety "Here, open this." Since this new virus carries a trojan, MyDoom might feel appropriately named to its victims.

Distinguishing Characteristics

A MyDoom e-mail spoofs its sender so that it appears to come from one of your friends, contacts, or a credible institutions such as a bank or phone company. The Subject is randomized. So far we've seen the variations below:

• hi
• hello
• HELLO
• error
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• status
• test
• Test
• Server Request

MyDoom is so new that the anti-virus vendors have not compiled their list of variations at the time of this writing. There may be other Subjects we haven't listed. MyDoom's body is also random. So far we know of these three variations:

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

We believe those credible bodies partly contribute to MyDoom's suceess. They certainly sound like legitimate errors and lead one to believe that the attached file could be the message that your e-mail client can't display. Don't fall for it!

MyDoom uses random attachments that try to look like documents. It uses the following extensions:

• .exe
• .scr
• .pif
• .cmd
• .bat
• .zip <-- (The zip file contains an executable that looks like a document; e.g., doc.txt [lots of spaces] .exe)

Although details are still developing, MyDoom starts like most viruses. If one of your users runs the virus' attachment, it starts by copying itself to his computer and adding registry entries to ensure that it can restart if your user reboots. It also harvests e-mail addresses from a number of different file types and sends itself to others.

According to the latest breaking news, MyDoom also seems to spread through the popular Kazaa P2P, file-sharing application. Other reports indicate MyDoom is engineered to target SCO for a Denial of Service attack.

Finally, MyDoom installs a backdoor by opening a connection on TCP port 3127. This could allow the virus author access to control an infected machine.

This virus has spread so fast that the anti-virus vendors are still researching it. MyDoom's code is encrypted so it may take awhile for the vendors to assess its true scope. We recommend you intermitently check McAfee's alert for the latest developments.

What you can do

• As always, remind your users never to open unexpected attachments from any source.

• Most major anti-virus vendors already have signatures that detect MyDoom. Check with your vendor for the latest update. If there is no MyDoom update, search on variant names Novarg, Shimg, or Mimail.R, which are terms for the same virus.