Destructive 15-Year-Old Worm Still Infecting New Systems

MyDoom, a 15-year-old malware strain that still holds the record for the fastest-ever worm spreading via email, is still actively attacking systems today, researchers have warned.

The malware made headlines when it first appeared in 2004, breaking previous records held by Sobig and ILOVEYOU, and that initial speed of transmission has not been surpassed to this day.

MyDoom makes infected Windows systems part of a botnet that can carry out destructive denial-of-service attacks.

The speed of its initial transmission allowed one variant to build a botnet so large that it was able to successfully take down Google on 26 July, 2004, rendering the search engine unusable for the better part of a workday.

Spam botnet

The botnet also slowed the operations of other search engines including AltaVista and Lycos.

MyDoom turns infected systems into servers that send junk email messages, and at one point it accounted for 25 percent of all email being sent worldwide.

The malware also spreads itself via the same method, sending itself to people in the system’s contact lists.

Its activity has declined relative to that of other malware over the years, but MyDoom is still highly active 15 years after its first appearance, said researchers at Unit 42, a unit of Palo Alto Networks.

One percent of all emails containing malware this year have been infected with MyDoom, they said, adding that the malware has caused an estimated $38 billion (£31bn) in damage over its lifespan.

Destructive

“First seen in 2004, MyDoom is still active today – a testament to its original destructiveness,” wrote Unit 42 researcher Brad Duncan in an advisory.

“Enough infrastructure has remained infected throughout the years that we continue to see MyDoom in today’s threat landscape.

“Although a relatively small percentage of malware-based emails contain MyDoom, this malware remains a constant presence.”

The firm said MyDoom remains so prevalent today because it can remain undetected on a user’s system indefinitely, working behind the scenes to find new addresses to send copies of itself to.

Most of the systems distributing the malware today are in China, followed by the US and the UK, with those targeted being distributed across the world.

The infected emails often use subject lines indicating that a message has failed to get through and prompting the recipient to open the attachment to find out why.

But other subject lines include random characters, “hi”, “hello” and “Click me baby, one more time”.

Such simple measures are likely to remain effective as long as people continue to open attachments, Unit 42 said.