The W32/MyDoom@MM Virus Fills Mailboxes; Forges Its "From:" Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

The MyDoom virus infects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, receive plenty of email from MyDoom, so its "annoyance factor" is large.

• MyDoom was discovered 26 January 2004; it forges its From: address and uses a random Subject: line. The infected attachment has a random name as well, though it often will be named doc.bat, document.zip, message.zip, readme.zip, text.pif, hello.cmd, body.scr, test.htm.pif, data.txt.exe, or file.scr. The size of the attachment is about 23 KB; the email itself (before de-MIMEing) is about 33 KB.

  The body text usually is one of the following:

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

  • The message contains Unicode characters and has been sent as a binary attachment.

  • Mail transaction failed. Partial message is available.

  or, in my experience, it may be random binary garbage.

  I trust it goes without saying that you should never open unsolicited email attachments!

  NAI provided an "extra.dat" file on the afternoon that day and released the 4319 drivers in the evening (Eastern time).

  As soon as the extra.dat file was available, the University implemented blocking of MyDoom on the email gateway; this, however, will not prevent one from receiving email caused by the virus. Since it forges its From: field, you may see the following if the virus forges email in your name:

  • Rejections from the recipient's ISP if the email address does not exist for which MyDoom sent the message
  • "Infection warnings" from brain-dead antivirus products on the recipient's email gateway: basically, this software is too stupid to realize (a) that the email was generated by a virus and should be deleted forthwith and (b) that even if it is going to send a message, it ought to send it to the actual victim, instead of the person whose address was forged.

• We released the VirusScan 4319 drivers -- which cover W32/MyDoom@MM explicitly -- at the University 23:41 EST 26 January 2004, so U-M Windows users who have VirusScan installed and updating itself automatically should have been able to detect MyDoom explictly (that is, by name) within an hour or so thereafter. If you opened infected email, though, and didn't have virus protection -- the virus probably bit you. NEVER open unsolicited email attachments, even when they appear to be from someone you know and trust. [Instead, email the sender to ask if s/he sent it, and what it is, and demand a sufficiently detailed answer that a virus would be unable to generate. Better yet, ask over the phone or in person; no virus can forge that!]

MyDoom definitely is out "In The Wild" in significant measure; it is generating a lot of email. Whether this is due to many infected machines, or to relatively few that are generating a lot of email each remains to be seen.

The main features of MyDoom are these:

• It send out a lot of infected attachments.

• It harvests email from many types of files, including addressbooks but also many more.

• It forges its From: field from one of these addresses, and sends to another.

• The Subject: line is random, but often will be blank, "Error", "Hi", "Hello", "Mail Delivery System", "Mail Transaction Failed" "Server Report", "Status", or "Test". These may be all caps, all lower case, or "normal mixed case."

• MyDoom can try to spread via peer-to-peer networks like KaZaA.

• It appears that MyDoom may contain a "Remote Access Trojan" (RAT) component, and that it can initiate a Denial of Service (DoS) attack against an ISP.

For more details, see the antivirus vendor URLs below.

Obviously, you should not attempt to open the attachment.... But then again, at the risk of sounding like a broken record: you never should open unsolicited attachments -- not even when they appear to be from someone you know and trust.

What should you do if:

• If know you are infected by MyDoom?

  Easy: disinfect with current, top quality antivirus software. University folks can get such software here. But I recommend that you do the following first:

  There is an excellent tool that handles only a few viruses, but it handles several nasty ones particularly well. Including MyDoom. It's NAI's free! Stinger tool (leaving our site). If you use Stinger, be sure to follow all the instructions they provide -- in particular, if you use WinME or WinXP, disabling System Restore. Otherwise, you'll be wasting time and effort. IN ADDITION I recommend booting in Safe Mode also.

  Also, note that while Stinger removes a few nasty viruses, it does NOT detect most of the 84500+ viruses known to exist -- nor does it protect you from getting reinfected. For that, you must use normal antivirus software.

  One more time: Stinger is for detection and removal only, not protection.

• You receive email you suspect is infected with MyDoom -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

For technical info on MyDoom, see e.g. Network Associates write-up on W32/MyDoom (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/mydoom.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB