Mydoom: The Fascinating Story Behind the World’s Fastest Computer Virus

Published
Virus Detected

Executive Summary

  • The Mydoom computer worm is a piece of malicious malware which was first discovered in 2004. It targets Windows-based machines, replicates itself via email attachments, and remains the fastest-spreading virus in history.

  • At the height of the first outbreak of Mydoom, the virus had infected over 50 million computers around the world and eventually caused an estimated $40 billion in damages. For a brief period, it even took down Google’s search engine.

  • The original author of the Mydoom worm is still unknown to this day, though the malware is – somewhat unbelievably – still infecting computers more than 15 years after it was discovered.


Introduction

On 26th January 2004, at around 13:00 UK time, the world of computer malware changed forever.

At that moment, emails began arriving in inboxes around the globe with unusual subject lines. The emails appeared to be errors of some sort, with a message suggesting that the user open the attachment in order to see the message itself.

By doing so, unsuspecting victims were laying the foundations of a botnet which would go on to cause billions of dollars in damage, infect over 50 million computers, and even take down Google’s search engine for almost a day.

On 26th January 2004, the Mydoom virus was born.

What is the Mydoom malware attack?

Mydoom is, from a certain point of view, the most successful computer virus of all time.

Transmitted via email, the singular goal of Mydoom is to infect computers, locate other email addresses on that computer, then send a copy of itself to those other email addresses. From there, it would simply repeat the process, spreading exponentially and creating a botnet which malicious parties could then use to carry out Distributed Denial of Service (DDoS) attacks.

The Mydoom virus relied on appearing as though it was a legitimate email which had somehow become corrupted, convincing users that the only way to read the message was to open the attachment. In truth, most people recognised the email for what it was: spam. Despite this, because of the way it can spread so easily, it only took a few unsuspecting victims to spread like wildfire.

And spread it did.

“I’m just doing my job”

Back in late January 2004, once the virus had spread to millions of computers all over the world, it essentially waited until 1st February, when it planned to begin a coordinated attack on the website of the SCO Group.

However, the website went down before this date, leading the SCO Group to post a bounty of $250,000 for anyone who had information about the creator of Mydoom. No one ever came forward, and the only clue as to the identity of the people behind Mydoom is that the first infected emails came from Russia. There was also a cryptic message in the body of some of the Mydoom emails that simply read: “andy; I’m just doing my job, nothing personal, sorry,”. This led some experts to believe that Mydoom was created by a third-party contractor who was, ethics aside, just doing his job.

There were actually two variants of Mydoom: Mydoom. A and Mydoom.B.

The two were similar, other than the fact that the A-variant seemed to be focused solely on SCO’s websites, whereas the B-variant also attacked Microsoft and the popular antivirus websites of the time.

The spread of Mydoom continued and finally hit its peak on 28th January 2004, when it was apparently responsible one in five of every email on the planet[KW1] [RL2] [RT3]  that day. At this stage, it’s thought at least 50 million computers were infected.

The end of the beginning

Of course, nothing lasts forever, so how did the initial spread of Mydoom actually end?

Well, in a way, Mydoom was the architect of its own downfall – or, at least, the B-variant was. You see, MydoomB had certain coding errors within it which prevented it from spreading as quickly as the initial version had done. This meant that, when it attempted the DDoS attack on Microsoft on 3rd February 2004, the botnet wasn’t actually big enough to take down their sites. (If that’s not evidence for Microsoft’s best-in-class cyber security protection, we don’t know what is).

Once this attack had failed, it seemed that the Mydoom incident was essentially over. In fact, it was programmed to be over.

On 12th February 2004, Mydoom.A stopped spreading.

On 1st March 2004, Mydoom.B stopped spreading.

Importantly, any computer which had been infected was still infected, meaning any backdoors created by this malware were essentially still wide open.

It wouldn’t take much for others to pick up the mantle of Mydoom and continue its nefarious strategy, and around this time Microsoft suffered another DDoS attack powered by the same botnet and referred to as “Doomjuice”. Luckily, once again, this attack failed to penetrate Microsoft’s cyber defences.

The ongoing legacy of the Mydoom malware

As time went on following the first outbreak of the Mydoom virus, several more attacks took place – all using variations of the original Mydoom worm.

In July 2004, a variant targeted Google, Lycos, and AltaVista – and it was largely successful. Though early days for the search engine, Mydoom managed to take down Google for almost an entire day – something that would be unthinkable today.

Additional variants labelled Mydoom C, F, and G/H were also discovered which were coded to specifically target Symantec, the well-known antivirus tech company.

In September 2004, further variants were identified and labelled Mydoom U, V, W, and X, though none of these came to anything in real terms[KW4] [RT5] .

As for where Mydoom is today, interestingly, there is still a level of circulation of those same infected emails from back in 2004. In 2019, analysis by Unit 42 showed that 1.1% of all email traffic with malware attachments were still Mydoom related[KW6] [RT7] . For such an old virus, that’s actually somewhat impressive – but it also means there are some people out there still falling for the oldest trick in the email malware book.  

Stop your business from falling prey to malware

While modern cyber security measures are more than prepared to identify and block old malware like Mydoom, the key element here is the same as always: human error.

While mistakes do happen, there are now technology-based solutions, such as Endpoint Detection and Response, which can help detect and resolve malware attacks even after they’ve happened. The other piece to this is internal training on the most common malware and IT support scams today.

If you’re concerned about your company’s cyber security, we’re here to help. From dealing with malware to managing everyday IT matters, our IT support agreements can keep your business safe and secure. Want to know more? Call the team today on 01865 594 000 or just fill in the form below.


Depedning on which source I look at this seems to range from 1/5 to 1/12, most appear to cite 1/12 [KW1]

I can see this https://en.wikipedia.org/wiki/Mydoom and a refence to this might be good enough? [RL2]

Yep, on that link it does state “Mydoom is responsible for roughly one in five e-mail messages at this time”. I will add a link. [RT3]

Variants, C,FG/H Targeted Symantic https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069 [KW4] [KW4]

Added! [RT5]

Is this not 1.1% of malware emails are Mydoom? [KW6]

Good catch! Updated. [RT7]

Latest From The Blog

Microsoft is Finally Killing the Control Panel… Or Is It?  

Microsoft is finally saying goodbye to the Control Panel in favour of the Settings app. But is there more to this story than meets the eye?

A Fond Farewell to Microsoft Publisher

After a 33-year career, Microsoft announced that Microsoft Publisher will finally reach end of life status in October 2026.

Microsoft 365 Copilot Release Roundup: June & July 2024

Discover the latest and greatest updates for Microsoft Copilot released during June and July 2024. Includes the new “Catch-up” feature, AI-powered PDFs, and more.