"This is the fastest spreading worm in Internet history. Itís apparent to us
that even with the broad media and industry attention, emails users will
continue to fall victim to the worm," said Scott Chasin, chief technology
officer, MX Logic. "At this point, we still have not seen the peak of the
wormís infection. It will be interesting to see what happens over the next
few days, especially after the first of February when the worm is expected to
execute its denial-of-service payload."
Also called "Novarg" or "WORM_MIMAIL.R," the MyDoom worm arrives in an email
as a .zip file attachment, which enables it to bypass traditional gateway
filters, and is typically named, for example, "document.zip," "message.zip,"
or "readme.zip." It can have various extensions, including ".exe.," "pif,"
".command," or ".scr" attachment. Many times, the email will appear to be an
error report stating that the message body canít be displayed and has instead
been attached in a file.
When the included attachment is opened, the computer immediately plants a
"backdoor" program that lets the worm author send commands to the infected
machine, possibly instructing the worm to distribute spam or enable IP
spoofing capabilities. MyDoom propagates by harvesting victim email addresses
from ten different file types. Additionally, the worm is set to initiate a
denial-of-service attack against the domain sco.com Feb. 1, 2004, through
Feb. 12, 2004.