Mydoom.A: Timeline of an Epidemic

Mydoom.A is the fastest spreading malicious code in history, causing the greatest epidemic ever seen. It is now estimated that over half a million computers around the world have been infected, including many thousands of businesses.

In fact, 1 in 4 e-mails in circulation -a total of more than 8 million- have been infected by this worm.

Financial losses caused by Mydoom.A are incalculable. Last Thursday (Jan 29), CNN estimated that due to loss of productivity and costs of tech support, the damage could reach 250 million dollars.

The mi2g consultancy firm has estimated losses caused by this virus at 38.5 billon dollars.

And the costs of the Mydoom.A epidemic could continue to increase as the worm is designed to continue spreading until February 12. The rates of propagation has in fact remained constant with even the occasional increase.

To help users better understand the situation, Panda Software has published a timeline of the Mydoom.A epidemic since it first appeared.

Tuesday January 27.

The antivirus laboratories first detected the presence of the new worm. At the same time, tech support services began to receive the first incidents -almost continuously- in several countries around the world. Because of this, and as the worm itself was being analyzed and the antidote created, a red alert was declared.

The procedure for detecting a virus may be simple to explain, but it is no simple task. First and foremost, you need the malicious code itself. There are various sources. One of these is antivirus users sending suspicious files, either due to their own worries or because the heuristic scan engine has identified the file as suspicious.

IT experts then reverse engineer the virus code. They discover the internal code and the functions of the virus. At the same time, in an isolated network, several computers are infected. These test computers are set up to record how the virus behaves and its ability to spread.

Once this information is gathered, a “vaccine’ is generated. This involves finding an identifier or “signature’ for the virus and creating a mechanism for disinfecting it. This data is used to create an update to the antivirus, and is made available to users through the website.

However, there are still many computers without adequate, updated, antivirus protection. This meant that Mydoom.A spread unchecked. The worm is designed to spread rapidly via e-mail.

Mydoom.A however continued to spread rapidly, infecting numerous computers, and gradually confirming its place in history as one of the worst viruses ever.

Antivirus companies continued to warn users of the dangers, in particular to companies, as they are the chief target of the worm. Some companies were even reporting that their antiviruses were blocking up to 3,000 e-mails infected by Mydoom.A. trying to enter the network.

Estimates indicated that there were more than a million and a half e-mails infected by the worm in circulation, and up until then more than 150,000 computers around the world had been affected.

Wednesday January 28.

The Mydoom.A worm was still spreading rapidly. Latest statistics indicated that one in every twelve e-mails in circulation was carrying this malicious code. This figure significantly exceeds that reached by Sobig.F (1 in every 17) last summer and which, up until the previous day, was considered the fastest spreading virus ever.

According to data collected by Panda Software’s online antivirus, Panda ActiveScan, Mydoom.A had infected six times more computers than Bugbear.B, the second virus most frequently detected.

Similarly, it was estimated that 300,000 computers worldwide, including thousands of companies, had been infected by Mydoom.A.

Towards the end of the day, Mydoom.B appeared, a dangerous variant programmed to prevent antivirus applications from updating. The number of incidents caused however was not significant.

Thursday January 29.

Mydoom.A was still spreading rapidly. One in every five e-mails was carrying this worm, making four million infected e-mails currently in circulation. “Mydoom.A is not reaching higher rates because of the security measures that companies have adopted after being infected”, explained Luis Corrons, director of PandaLabs. “But” he added “it isn’t stopping either, as it is now hitting companies without protection that survived the first wave of infected messages.”

According to data collected by Panda Software’s online antivirus, Panda ActiveScan, Mydoom.A had infected six times more computers than Bugbear.B, the second most frequently virus detected. Corporate environments around the globe were hit the hardest by Mydoom.A, and for this reason, the number of infected computers reached 400,000.

Friday January 30.

The number of infections caused by the Mydoom.A worm seemed to have stabilized, but, it still caused almost six times more infections than Downloader.L, the second virus most frequently detected by Panda ActiveScan. An estimated 500,000 computers worldwide -mainly in corporate environments- had been infected by this malicious code. This demonstrated the magnitude of the activity of this worm, as even though hundreds of thousands of companies had already cleaned their computers, others were still being infected.

However, this worm was still spreading and there were 8 million infected e-mails in circulation, this meant that one out of every four e-mails was carrying the Mydoom.A worm.

As company activity was interrupted for the weekend, the epidemic is expected to cool off on Saturday. However, on Sunday, February 1, the worm was due to launch a distributed denial of service (DDoS) attack against SCO, in order to prevent users from accessing its website.

However, the fact that this worm’s activity was expected to drop off didn’t mean that users could drop their guard. Mydoom.A creates a backdoor in infected computers that allows unauthorized accessed to malicious users. In fact, a large amount of activity was detected on the Internet involving hackers looking for computers infected by Mydoom.A, which are therefore vulnerable to attack.

For this reason, Panda Software still advised users to install and set up firewalls. By doing this, they could prevent DDoS and hacker attacks, neutralizing the effects of this worm.

Saturday January 31.

As business activity slowed down, the epidemic slackened off, although the number of infections caused by Mydoom.A was still high.

Sunday February 1.

Mydoom.A started to launch its distributed denial of service attack (DDoS) against the web page of SCO. The web page became unavailable to users.

Monday February 2.

Despite a slight respite in activity over the weekend, the number of incidents remains high. As the working day began, Mydoom.A kicked back into action again in countries like Japan.

On a worldwide level, the number of infections caused by Mydoom.A is more than five times that caused by Downloader.L, the second most frequently detected by Panda ActiveScan. And as business activity resumes across the world, incidents are on the increase again.

As with the previous day, SCO’s website is out of action.

The Propagation Of Mydoom.A

With respect to Mydoom, measuring the rate of propagation is relatively simple with no need to use external detections. This virus searches for e-mail addresses in the affected computer, but in order to send e-mails, it needs to work out the name of the e-mail server used for each mail. To do this, it tries different combinations of SMTP server addresses, hoping that one will work.

This behavior however causes a disproportionate increase in attempts to resolve names in DNS servers. An observation of statistics generated in root servers gives an insight into virus incidence. The activity in DNS servers administered by RIPE (Reseaux IP Europeéns) over the last week, (rejected name resolutions), shows that the number of rejected requests is much higher than normal. This is due to attempts to resolve non-existent names.

However the number of queries received, although there is an increase, doesn’t reflect the same growth as those refused. In the week prior to the appearance of the virus, there were never more than 5..5 million requests, when the virus began to spread, it reached 7 million, less than double. However rejected queries increased more than 100 times.