What Is MyDoom Malware? History, How It Works & Defence

Some people call MyDoom a virus. Some people call it a worm. Some people spell the term My Doom. Others just call it the Doom Virus. 

No matter what you call it or how you spell it, MyDoom is serious. This tiny bit of code spreads from one computer to another via email attachments. If you get these messages and open their files, the program sits on your computer. Soon, everyone in your address book gets a message from your computer. 

People became aware of MyDoom in 2004, and the attacks launched then have long since passed. But plenty of infected computers remain. So it’s wise to know how this worm works and how you can rid your computer of the code. 

MyDoom virus development 

In January and February of 2004, people all around the globe started getting mysterious email messages that said, "I'm just doing my job, nothing personal, sorry." Each email came with an attachment, and every time people checked their inboxes, they got another copy. The MyDoom virus was responsible. 

MyDoom is a very effective worm made to create zombies out of hundreds of thousands of computers. Hackers could then use each hijacked terminal to wage a denial of service (DoS) attack toward a company they identified. 

In 2004, no one knew who developed the code. Some felt that the MyDoom worm looked very similar to other worms developed in Russian labs. But suspicion isn't proof, and in the end, no one really knew who created this code or why they did so. 

But experts agreed that MyDoom was dangerous. Reporters said the code was:

  • Fast. No other virus had spread so quickly. 
  • Effective. MyDoom infected more than 500,000 machines in just one week. 
  • Expensive. Damage estimates reached $38.5 billion or more. 

The virus took over host computers, and most cleanup reporting focused on what people needed to do to eliminate the code. But two companies were the real victims. 

The first version of the worm used infected computers to bombard SCO Group with homepage requests. The company couldn't handle that kind of traffic, and the site crashed. After an hour of constant attack, the company changed website addresses altogether.

The second version of the worm did two things.

  • Attack: Infected computers bombarded Microsoft's website.
  • Protect: After the infection, computers couldn't access 65 antivirus websites. In essence, the worm kept people from cleaning up their computers. 

Before hackers released MyDoom, experts knew that an attack like this was possible. But they had no idea what it would look like, how it would work, or how users could clean up their computers. They would learn all about these attacks in the coming months.

How does MyDoom work? 

People on infected computers likely had no idea anything was wrong. They may have encountered slow speeds or glitchy service. But they probably didn't get an alert or warning that their computers weren't functioning properly. But code working deep within the Windows environment allowed the worm to spread. 

The MyDoom worm:

  • Downloads. Opening the attachment allows the code to move into the Windows environment. The worm wouldn’t touch anyone not working in Windows. 
  • Spreads. Code digs into contacts stored on the victim's computer. Every address the code finds gets a new version of the worm as an email attachment. 
  • Launches. On a set date, the infected computers launch requests for either SCO Group's or Microsoft's website. 
  • Remains. The attackers leave a back door open, just in case they want to enter again. 

Users should keep in mind that, while hackers made the worms to attack a specific website, the code doesn't expire or uninstall. Your computer could be infected now, or you could be working on a tainted machine from a message you don't even remember opening. 

Can the MyDoom virus hurt you? 

Any computer infected with MyDoom has an open backchannel that, in theory, attackers could hijack. Suddenly, you could be part of a zombie attack. 

If your computer is part of an attack like this, you might notice:

  • Sluggishness. Opening, closing, saving, or doing anything in Windows files could take much longer than expected. 
  • Irritation. If your computer starts sending random messages to everyone in your address book, you could get a few angry responses. 
  • Alerts. If you're on a managed network, your administrator might start asking why you need so much bandwidth to do your work. 

You may notice nothing at all, of course. Your computer may never be part of a new attack on a company or country. But that backdoor is still there, just waiting for hackers to use it. It will continue to be a security risk unless you act.

MyDoom defence approaches 

If you believe that you have been infected by MyDoom, seek out the problem and remove it. Then turn to prevention to ensure you're never infected again. 

If you believe you are infected:

  • Delete the file. Reporters say it's typically stored here: %system%\drivers\etcwhere %system% is the Windows system file — C:\windows\system32 for Windows XP, C:\winnt\system32 for NT/2000, or C:\windows\system for Windows 9x/Me.
  • Update Windows. The worm can only infect computers running Windows, and programmers know that. If you're not running the current version of Windows, amend that now. 
  • Run antivirus software. Download the latest patch so your antivirus software works against the latest threats. Then, run a complete clean of your system. 
  • Check. Reach out to people in your contacts, and ask them if you're sending them suspicious notes. Then, head to common antivirus websites and see if you can load the page. 
  • Repeat. If your computers are still infected, start over again. 

Worms like MyDoom rely on you to download the virus. That means you have opportunities for prevention. Start by paying attention to sender addresses. If you get notes from people you don't recognise, don't open the message at all. And never click attachments in email messages that look suspicious. 

If you work on security for a large company, ensure that all of your employees know these same rules. Encourage them to send you anything they think is suspicious, so you can check it for them.

Work with Okta 

Okta offers security solutions that help you mitigate risk and grant only the right people access to the resources they need. Learn more about how we can help organisations both large and small.

References

Who Made MyDoom? (February 2004). New Scientist. 

More Doom? (February 2004). Newsweek. 

MyDoom Shows Vulnerability of the Web. (February 2004). Network Computing. 

Update: New Mydoom Worm Discovered. (January 2004). Computerworld.

Worm:W32/MyDoom. F-Secure. 

MyDoom: The 15-Year-Old Malware That's Still Being Used in Phishing Attacks in 2019. (July 2019). ZD Net. 

How to Thwart Renewed 'MyDoom" Email Bug. (January 2006). ABC News.