Why MyDoom has spread so fast

It's the fastest-spreading worm so far - but why? There are steps we can all take to stop it growing

It's official: MyDoom is the fastest spreading email virus or worm in computer history, beating out last August's SoBig.f. Security services firm MessageLabs reports that MyDoom, at its peak last Tuesday, was responsible for one out of every 12 emails. That compares with one out of every 17 emails for SoBig.f.
You can protect your PC, and stop viruses from spreading, by updating your antivirus software regularly and installing a personal firewall such as ZoneAlarm.

But what's even more incredible is that MyDoom does nothing special; instead, it relies largely upon classic, tried-and-true email infection methods dating back at least four years. Which means we have only each other to blame for this outbreak.

So how did MyDoom do it? According to F-Secure, a Finnish antivirus company, MyDoom employed classic social engineering techniques. The author of MyDoom (which gets its name from a misspelling in the code for "my doomain," hence "MyDoom") crafted basic messages that looked like they could be legitimate emails.

The subject lines said things like, "Mail transaction failed", Server report", "Test" or simply "Status". The body text read, "The message cannot be represented in 7-bit ASCII." This prompted many otherwise computer-savvy individuals to open the ZIP file attachment, and thus launch the virus on their system.

MyDoom also spread among KaZaa users, depositing a copy of itself in that program's shared file folder, again with enticing names such as "office_crack" and "rootkitXP".

To further increase its impact, MyDoom struck in the middle of the workday in the United States -- prime time for email usage. Businesses have long been the target of email worms because of the rich diversity of email addresses that pass through corporate mail servers. A worm that infects a multinational corporation could find itself spreading to several countries within minutes. Also, because MyDoom used the common ZIP file format, it was able to sneak through most corporate email gateway filters in the first few hours of the attack.

To slow the spread, many corporations have since disallowed ZIP file attachments on their networks, further compromising worker productivity in addition to the already slow email delivery.

The final secret to MyDoom's success is its ability to guess email addresses by randomly combining common user names with domain names. The domains ".msn", ".yahoo" and ".hotmail" are hard-coded into the worm code. Add in some random collections of letters before an "@" symbol, and MyDoom is able to "create" email addresses and spam those domains with bogus messages. This prompts the servers at those domains to fire back the familiar "address undeliverable" messages, which further increase and slow down the flow of email traffic on the Net.

While MyDoom sticks mostly to the virus-spreading basics, it does have at least one sophisticated capability: it appears to be building a network of infected machines. After infecting a system, MyDoom opens TCP ports 3127 through 3198, presumably to listen for instructions from the worm's author. These may tell the system how to upgrade to the latest variant or launch a distributed denial-of-service attack

This is a trick learned from recent worms like Sobig, MiMail and Bagle. What it means is that subsequent variations of MyDoom won't have to entice users to open its messages; it'll already have a base of several thousand infected computers from which to broadcast itself the next time around.

A variation of the worm, MyDoom.b, already exists. It's virtually the same as MyDoom.a, except that it instructs infected computers to launch a denial-of-service attack on Microsoft.com. Because of this, Microsoft has offered a $250,000 reward for information leading to the arrest of MyDoom's creator or creators. MyDoom.b appears to have many flaws, so it hasn't spread as quickly as its predecessor. But don't breathe a sigh of relief yet -- someone, somewhere will probably have fixed the buggy code and sent out a MyDoom.c by the time you read this.

As with most worms, we have to fight MyDoom one computer at a time. You can do your part to stop it and other worms, too, by updating your antivirus protection regularly. For additional protection, I recommend a personal firewall; in particular, check out the free version of ZoneAlarm 4.5. ZoneAlarm has some antivirus capabilities, but more importantly, it prevents any malicious code that lands on your hard drive from contacting other systems on the Internet.

You can also sign up for the United States Computer Emergency Response Team's new Cyber Alert System. It's free, and promises to email you regarding the latest threats to your PC.

MyDoom may be the quickest worm ever. But we don't have to let its creators continue to afflict us with subsequent variations. I promise to do my part -- now will you do yours?