Mydoom is a mass mailing and peer-to-peer (KaZaA) worm that targets The SCO group. This worm is spreading rapidly and went from a standing start to a category 4 rating at Symantec in one leap. It was first seen late Monday, Jan. 26, and, by Tuesday morning, Mydoom was already making the mainstream early morning news shows.

Another infection released this week, Mimail, is a polymorphic worm that is primarily intended to steal PayPal account information from infected systems. Mimail is difficult to detect because of the changing encrypted code, so antivirus vendors are releasing new decryption algorithms to deal with it. Of the two, Mydoom is by far the most widespread and fastest spreading, but it probably has a lower damage potential, except that it can clog up corporate mail systems and hog bandwidth. reports that these two worms are closely related.

This worm has spread like wildfire and will be difficult to recognize because there are various subject lines and attachment names. Even the attachment extension may appear as .pif, .scr, .exe, .cmd, .bat, or .zip.

According to Symantec (which also designates this malware as Novarg), the subject line will mostly appear to be some sort of error message related to e-mail. This could include: Test, Hi, Error, or Mail Transaction Failed. The origin of this worm might be self-revealing because, when it spreads, the code ignores any .edu e-mail extensions.

The worm collects addresses from infected systems in the following files:

  • .htm
  • .sht
  • .php
  • .asp
  • .dbx
  • .tbb
  • .adb
  • .pl
  • .wab
  • .txt

Also, according to the Symantec report, this worm will plant a backdoor and, on Feb. 1, 2004, it will attempt a DDoS. In fact, both Mydoom and Mimail plant a backdoor on infected systems. UDP 3127 is the port opened by Mydoom.

McAfee reports that when an infection occurs, Mydoom will open a copy of Microsoft Notepad filled with nonsense code and text. Also, according to McAfee, the target of the Feb. 1 DDoS attack is the URL.

In a very unusual move, CERT has published an Incident Report, IN-2004-01 on this worm, which, CERT reports, is also known as Shimg.

Mimail is the other mass mailing worm hitting users this week. It displays a very authentic-looking Windows expiration notice. After scaring users with this, the worm goes on to request every piece of personal information conceivable. When it collects any interesting cookie or other information from the infected computer, it mails the data to an anonymous e-mail account, and then Mimail opens a backdoor on the infected systems. This applies to port 3000 and port 6667 (listening server).

Both of these worms strike Windows systems only. Of course, the SCO target is indirectly a Linux/UNIX attack, but it is on the vendor and not on the operating system itself.

Mitigating factors
There are the usual mitigating factors that you have with most viruses. If you have trained your users not to open attachments, then they won’t get hit with either one of these worms. Also, keep in mind that both worms may require updated code for antivirus software to catch them.

Since the backdoor for Mydoom uses UDP port 3127, blocking port 3127 at your firewall will close the backdoor. McAfee also offers the limited free antivirus tool, Stinger, which can detect Mydoom and some other infections. The latest version, 1.9.7, was released on Jan. 26, 2004 and detects 34 different versions of malware, including both Mydoom and Mimail.

Final word
Due to its recent litigation against Linux, The SCO Group is very unpopular with the Linux community, so Mydoom may be the first serious incident of Linux users attacking a Linux/UNIX vendor, using a Windows vector.

Also, while it’s tempting to say that any people dumb enough to fill out the Mimail worm’s questionnaire deserve what they get, the worm also scans files in the background and is probably intended mostly to steal PayPal account information rather than to actually get social security numbers, telephone numbers, and other personal information.