What lessons can we learn from Mydoom-A?

A question that is often asked in the post-mortem of a worm outbreak incident is: "Why was this so successful?" On Jan. 26, several separate malware incidents occurred, but only one developed into a major threat -- the W32/Mydoom-A worm.

    Requires Free Membership to View

It seemed at first that W32/Mydoom-A was a variant of the W32/Mimail family, and indeed, some vendors detect it as W32/Mimail-R. Although it's correct to say that the Mimail family was a great influence on W32/Mydoom-A, the code is different enough for it to be classed as a new family. Interestingly, earlier that same day, a new variant of the Mimail family, W32/Mimail-Q was discovered. Only one of them caused a problem. Why?

The difference seems to be a combination of characteristics. With W32/Mimail-Q, the e-mail subject lines generated contained words and phrases more likely to trip spam filters, or that may look more like spam to a reader. The attachment types were also likely to arouse suspicion, and would be far more likely to trip the attachment blocking filters that many larger corporations routinely employ. W32/Mydoom-A was slightly different, and I believe this was somewhat responsible for its greater success.

First, the subject lines were short and spam neutral -- such as "Hi," "Hello" and "Error."

Second, the body contained very little text -- again it wasn't likely to trip a spam filter.

Third, the worm also often employs the .zip extension for its attachments (as well as the more usual ones, such as .exe .pif .scr .cmd and .bat). There was a time that the prevailing wisdom said sending things as .zip was in someway "safe," consequently such attachments are rarely blocked at corporate gateways.

There are two ways of looking at this. One is that the message about not opening unsolicited attachments simply isn't penetrating the user population; the other is that it's penetrating, but we have shot ourselves in the foot via the false impression that files contained within a .zip file are safe. As an optimist, I would like to believe that the second statement is the truer, but unfortunately, recent worms such as W32/Bagel and W32/Swen-A prove that the reality is the message isn't getting through. In some cases, this can be explained by the fact that the attachment used the "text document" icon -- though, of course, this would only be displayed in certain e-mail clients.

Fourth, the worm sent several messages to each recipient, rather than the more usual one. It used "guesses" to generate recipients, causing a large amount of bounce traffic, which also contained the attachment.

Last, W32/Mydoom-A made an attempt to establish itself before it was discovered, by including code within it that prevented the worm from sending its messages to a number of sites, including major antivirus vendors, some large companies and government organizations, to try to extend the window before samples got to the vendors. These factors, amongst others, may explain why W32/Mydoom-A was more successful than some other worms. The transmission part of W32/Mydoom-A is set to expire on Feb. 12, although the backdoor Trojan component will remain active.

About the author
Andrew Lee, is a founding member and administrator of AVIEN. He is also a Wildlist Reporter, member of Team Anti-Virus and independent antivirus researcher. Andrew has presented papers at EICAR and written for Virus Bulletin Magazine.

This was first published in February 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.