A question that is often asked in the post-mortem of a worm outbreak incident is: "Why was this so successful?" On Jan. 26, several separate malware incidents occurred, but only one developed into a major threat -- the W32/Mydoom-A worm.
It seemed at first that W32/Mydoom-A was a variant of the W32/Mimail family, and indeed, some vendors detect it as W32/Mimail-R. Although it's correct to say that the Mimail family was a great influence on W32/Mydoom-A, the code is different enough for it to be classed as a new family. Interestingly, earlier that same day, a new variant of the Mimail family, W32/Mimail-Q was discovered. Only one of them caused a problem. Why?
The difference seems to be a combination of characteristics. With W32/Mimail-Q, the e-mail subject lines generated contained words and phrases more likely to trip spam filters, or that may look more like spam to a reader. The attachment types were also likely to arouse suspicion, and would be far more likely to trip the attachment blocking filters that many larger corporations routinely employ. W32/Mydoom-A was slightly different, and I believe this was somewhat responsible for its greater success.
First, the subject lines were short and spam neutral -- such as "Hi," "Hello" and "Error."
Second, the body contained very little text -- again it wasn't likely to trip a spam filter.
Third, the worm also often employs the .zip extension for its attachments (as well as the more usual ones, such as .exe .pif .scr .cmd and .bat). There was a time that the prevailing wisdom said sending things as .zip was in someway "safe," consequently such attachments are rarely blocked at corporate gateways.
There are two ways of looking at this. One is that the message about not opening unsolicited attachments simply isn't penetrating the user population; the other is that it's penetrating, but we have shot ourselves in the foot via the false impression that files contained within a .zip file are safe. As an optimist, I would like to believe that the second statement is the truer, but unfortunately, recent worms such as W32/Bagel and W32/Swen-A prove that the reality is the message isn't getting through. In some cases, this can be explained by the fact that the attachment used the "text document" icon -- though, of course, this would only be displayed in certain e-mail clients.
Fourth, the worm sent several messages to each recipient, rather than the more usual one. It used "guesses" to generate recipients, causing a large amount of bounce traffic, which also contained the attachment.
Last, W32/Mydoom-A made an attempt to establish itself before it was discovered, by including code within it that prevented the worm from sending its messages to a number of sites, including major antivirus vendors, some large companies and government organizations, to try to extend the window before samples got to the vendors. These factors, amongst others, may explain why W32/Mydoom-A was more successful than some other worms. The transmission part of W32/Mydoom-A is set to expire on Feb. 12, although the backdoor Trojan component will remain active.
About the author
Andrew Lee, is a founding member and administrator of AVIEN. He is also a Wildlist Reporter, member of Team Anti-Virus and independent antivirus researcher. Andrew has presented papers at EICAR and written for Virus Bulletin Magazine.
This was first published in February 2004