Notorious MyDoom Worm Still on AutoPilot After 15 Years

The notorious Mydoom email worm, considered to be one of the most damaging malware strains ever developed, is still doing rounds on the Internet, working on autopilot and actively targeting email users all over the world. 

Mydoom (also known as Novarg, Mimail, and Shimg) is a malware family known to be active since at least 2004 [1, 2, 3, 4] , with worm capabilities designed to spread to other victims using a mass e-mailing approach, with some of its variants also capable of infecting targets through peer-to-peer networks.

After infecting a computer, the MyDoom worm opens a backdoor on TCP ports 3127 through 3198, thus enabling the attackers to remotely access the compromised systems, to distribute other malicious payloads, and, in the case of some variants, to launch denial of service (DoS) attacks.

As its main propagation method, the MyDoom worm collects e-mail addresses from various files on the compromised systems and sends e-mails with an attached copy of itself to all the addresses it found.

MyDoom email sample
MyDoom email sample (Image: Palo Alto Networks)

According to a MyDoom in-depth analysis by The Cylance Threat Research Team:

  • MyDoom holds the record for the fastest spreading email worm, which it achieved in 2004
  • MyDoom holds the record for the most costly virus, inflicting an impressive $38.5 billion in damages
  • At its apex, MyDoom generated 16-25% of all emails sent worldwide

MyDoom is still going strong as per reports coming from security researchers and vendors almost on a yearly basis [1, 2, 3], with tens of thousands of MyDoom-infected emails being detected every month.

"While not as prominent as other malware families, MyDoom has remained relatively consistent during the past few years, averaging approximately 1.1 percent of all emails we see with malware attachments," says Palo Alto Networks Unit 42's Brad Duncan.

The thousands of malicious emails delivered by MyDoom all over the world each month target a wide range of industries, from high tech, wholesale, and retail to healthcare, education, and manufacturing.

MyDoom - 2015 to 2018 Palo Alto Networks stats
MyDoom - 2015 to 2018 stats (Image: Palo Alto Networks)

Between 2015 and 2018, MyDoom was found within 1.1% percent of all malicious emails detected by security outfit Palo Alto Networks, reaching "an average of 21.4 percent for all individual malware attachments seen through malicious emails."

The difference in the number of MyDoom attachments and emails is caused by the polymorphic nature of this worm resulting in a higher amount of malware sample hashes, thus drastically increasing the number of detected samples. 

During the first half of 2019, MyDoom saw a slight boost in the number of malware samples detected, as well as a boost in the number of malicious emails delivered to and from its victims.

MyDoom 2019 activity
MyDoom's 2019 activity (Image: Palo Alto Networks)

Since the initial MyDoom infection in 2004, enough computers have been infected and continued infecting other machines throughout the years to help this malware stay active, although not as dangerous as it was in the beginning.

"Both China and the United States are the primary recipients of MyDoom emails, although the distribution remains global and targets many other countries. High tech is the most frequently targeted industry," concludes Duncan.

More statistics and details on how MyDoom spreads between hosts, as well as a list of Indicators of Compromise (IOCs) containing hashes for MyDoom EXE samples found during July 2019,  are available in Duncan's in-depth analysis of MyDoom's activity.

Related Articles:

Modular Plurox Malware Is a Wormable Backdoor Cryptominer

BlueKeep Scanner Discovered in Watchbog Cryptomining Malware

Hackers Exploit Jira, Exim Linux Servers to "Keep the Internet Safe'

New Okrum Malware Used by Ke3chang Group to Target Diplomats

New EvilGnome Backdoor Spies on Linux Users, Steals Their Files