Talk:Mydoom (computer worm)

From Wikipedia, the free encyclopedia


From main:

The worm has three notable payloads: (snipped 2)

  • A spam advertisement for Viagra.

The bit on Viagra seems a bit dubious - a Google news search for "Viagra" + "Mydoom" only brings up a couple of hits, and the analysis pages on Virus Encyclopedia and Symantec don't seem to mention it. Evercat 15:10, 28 Jan 2004 (UTC)

Hmm. I put that one in having read it "somewhere". But you're right, I can't find it on any of the pages to do with the worm so far. Yes, leave it out for now. - David Gerard 15:21, Jan 28, 2004 (UTC)

I've never understood where the names of viruses and worms come from. Can anyone add etymology to this article? --Spikey 02:37, 29 Jan 2004 (UTC)

Computer virus has etymology for that term. Seems to me that etymology notes belong on their respective pages and not here. Tempshill 05:27, 29 Jan 2004 (UTC)
I think Spikey means where do names like Mydoom and Novarg come from? I think the answer is just that these are the names assigned them by different antivirus companies, but I could be wrong. Evercat 13:48, 29 Jan 2004 (UTC)
That's pretty much the case - they're named by the virus researchers themselves. All the research teams talk to each other (even though their companies compete), and they try to keep some standards to naming, but since they're discovering the things simultaneously the viruses end up with multiple names. (I used to work for an antivirus company.) - David Gerard 14:19, Jan 29, 2004 (UTC)

Useful references for anyone with a moment to do some revision:

  • [1] - Bruce Perens claims its purpose is to send Viagra spam. That doesn't say the virus contains it, of course.
  • [2] - it appears to have originated in Russia. Symantec says it also includes a key logger.
  • [3] - "almost certainly funded by e-mail spammers ... professionally created with a criminal profit motive".
  • [4] - analysis and disassembly of the worm. Condensing this for a ==Technical analysis== section would be excellent.
  • [5] - Mydoom.B, which targets microsoft.com.

- David Gerard 14:19, Jan 29, 2004 (UTC)


The letters on the end of a virus name (indicating a variation) are conventionally capitalised - hence "Mydoom.B". - David Gerard 22:55, Jan 29, 2004 (UTC)


Since 4 or 5 months ago I always have been flooded with "recepient not available" emails with .exes attached with them. In fact that is the only mail worm I have ever got, certainly at that high a volume. In fact I havent gotten any so far from this mydoom virus. What is the name of the older virus?

Sounds like Swen. (Which doesn't presently have an entry - wanna research and write one?) - David Gerard 08:09, Jan 30, 2004 (UTC)

Do we actually have solid verification that the SCO-attacking payload has worked? I mean greater verification than SCO's site being offline, which doesn't verify a thing - remember that during the first "DOS", it was routinely up during business hours then off at night! Is there anything from their ISP, from standard routes to www.sco.com and so on? - David Gerard 18:04, Feb 1, 2004 (UTC)

I think it must have done - sco.com appears to have been taken out of the DNS at this point. But anyway, see [6]:
"This large scale attack, caused by the MyDoom computer virus that is estimated to have infected hundreds of thousands of computers around the world, is now overwhelming the Internet to requests www.sco.com," Jeff Carlon, SCO's director of Information Technology, said in a statement.
Not to put too fine a point on it, but SCO are generally lying weasels. If they said the sky was blue, I'd look outside. Remember that they claimed the DOS had already hit them. I really wouldn't put in that the attack is actually happening without some independent verification. Also, being taken out of the DNS would have nothing to do with whether the DOS was in progress. See http://news.netcraft.com/ - David Gerard 19:16, Feb 1, 2004 (UTC)

David: My reference for the downing of SCO's site came from mi2g, which stated: (1730, 31 Jan 04 news release) "As of 12:00 hours GMT, the SCO web site has been intermittently accessible only. Ping requests have been timing out as parts of the page have been taking over 10 minutes to download. As of 17:00 hours GMT the www.sco.com web site is refusing to download completely." I'm sure you're a better judge of the validity of such statements than I, so I'll gladly defer to you on these matters. - Seth Ilys 20:23, 1 Feb 2004 (UTC)

For the joy of SCO, check http://groklaw.net/ . You'll feel a bit icky afterwards, though. Their site has been up and down like a yoyo all year. The last time a DOS on SCO was confirmed was when their ISP said so too. I'll change it to 'reported' or something that, er, sounds much more NPOV than I actually feel about them - edits accepted, obviously ;-) - David Gerard 20:37, Feb 1, 2004 (UTC)
I just did a traceroute to the SCO IP address which dig gives as 216.250.128.12:
4 251.ge6-0.mpr1.lhr1.uk.above.net (213.161.78.85) 12.387 ms 14.480 ms 12.780 ms
5 so-4-1-0.cr1.lhr3.uk.above.net (208.184.231.174) 14.586 ms 14.848 ms 12.379 ms
6 so-7-0-0.cr1.dca2.us.above.net (64.125.31.186) 93.645 ms 92.166 ms 89.264 ms
7 so-0-0-0.cr2.dca2.us.above.net (208.184.233.122) 90.838 ms 82.902 ms 83.271 ms
8 so-6-0-0.cr2.iad1.us.above.net (208.184.233.130) 86.569 ms 93.613 ms 97.186 ms
9 so-3-0-0.mpr1.iad2.us.above.net (209.249.0.214) 96.240 ms 105.490 ms 97.558 ms
10 so-3-0-0.mpr1.iad10.us.above.net (64.125.30.117) 84.397 ms 82.598 ms 85.769 ms
11 * * *
Anyone in Utah want to give the local above.net NOC a call? :-) - David Gerard 20:42, Feb 1, 2004 (UTC)
SCO said [7] on Saturday that MyDoom hadn't hit them yet, and claimed ISPs had been blocking them. (They claimed for days before, also in an SEC filing no less, that it had hit already.) Now they claim [8] that the attack began Saturday evening.
Netcraft has also called BS on SCO's claims of any attack at all [9] - SCO's hostmaster in fact removed www.sco.com from the DNS, meaning any attacks go nowhere. Other hosts on the same subnet are alive and well. [10]
We have no independent verification that the attack has even occurred. I really would suggest waiting for some before claiming it even did. - David Gerard 11:28, Feb 2, 2004 (UTC)
The fact that SCO have gone to the trouble of moving the site to http://www.thescogroup.com/ suggests that the attack has indeed occurred. Arkady Rose 15:56, 2 Feb 2004 (UTC)
No doubt SCO have good reasons for suggesting that an attack has indeed occurred. However that is by no means independent verification of an attack. -- Derek Ross 16:38, 3 Feb 2004 (UTC)
Removing www.sco.com from the DNS is a precaution suggested to them by many, including Netcraft - just in case the worm did hit. It's a sensible move, but doesn't say anything about whether an attack occurred or not.- David Gerard 09:45, Feb 4, 2004 (UTC)

I can't find a reference to the French-text version of Mydoom anywhere. Maybe I'm looking in the wrong place... - Seth Ilys 20:25, 1 Feb 2004 (UTC)

The only place I've seen it mentioned is here ... - David Gerard 20:37, Feb 1, 2004 (UTC)
Removing. - Seth Ilys 16:31, 3 Feb 2004 (UTC)

I just removed a link to a site, http://www.vyr.us/ , that claims to offer a download of the virus - you'll see it in the page history. Does anyone else think this is a good (as in encyclopaedic) idea? I'd think the technical analysis and disassembly would be quite enough myself ... (Mind you, I was amused that WINE is apparently sufficiently functional to run it ;-) - David Gerard 22:30, Feb 1, 2004 (UTC)

  • I agree that linking to those downloads isn't necessary (though I doubt it's illegal - if I tell you you can buy guns at store X, and you go get one and shoot your wife, I'm not liable). That said - given the lack of native viruses for Linux, this is an important step for those of us who feel like an important software category has left us behind :) Pakaran. 22:36, 1 Feb 2004 (UTC)

" Whether or not the worm was written by a Linux user or advocate, it is important to note that it is next to impossible to infect a linux system directly, though there have been claims of running the worm under WINE."

The two halves of that sentence don't really go together; the first half adds no new information to the entry, and the second half doesn't really belong in this paragraph (origins of the virus). I wonder how worm-compatible WINE is in general ... I've heard of WINE being complete enough to run viruses and worms quite "well" some time before this, over a year ... - David Gerard 15:14, Feb 10, 2004 (UTC)

Of course not. The whole "Linux user or advocate" thing does not even rise to the level of speculation. Anyone familiar with the worm outbreaks of the past year or so -- consider Fizzer, Sobig, and Mimail in particular -- recognizes the pattern of a worm that distributes a DoS and a backdoor that can be used to send spam. Anti-spam experts like Spamhaus [11] know what these viruses are meant to do, because they've observed the actual spam that comes out of virus-infected hosts. There are even a couple of spam block lists which specifically target virused hosts -- not because these hosts send viruses, but because the spammers use them to send spam. [12]
Why did the SCO thing receive so much press? It's easy for reporters to understand, and SCO trumpeted its victim status to the skies. They were claiming to have been taken down by the DoS days before the worm was actually set to start the DoS. [13] --FOo 15:59, 10 Feb 2004 (UTC)
Doesn't mean they weren't getting hit before the target date. Bet there are a lot of systems out there with wrong system clocks... Er.
Fri Jun 3 20:21:31 EDT 2005
Mine, for example. :P --68.66.187.125 07:22, 4 Jun 2005 (UTC)