The MyDoom worm is still out there

October 2, 2016

One of the interesting things that happens when you start paying attention to attachment types and tracking detected malware is that, well, you stumble over some things you didn't expect. So there I was, looking at our listing of recently rejected malware, when I saw:

[...] rejected 1bqFNH-0008Cv-8D from to <redacted>: identified virus: W32/MyDoom-O

MyDoom is infamous, but it's also old; it dates from 2004. It's now more than ten years later and some computers are still sending MyDoom variants around to people. This is both an impressive testimony to the tenaciousness of certain sorts of things and a depressing sign of how slow security updates are to propagate around. Since we've been sent multiple MyDoom messages since we started logging these, there are clearly still a decent number of infected machines out there spewing malware spam out into the world.

This particular example is probably authentically old, as it was trying to mail a .scr file that wasn't even inside a ZIP archive. Other variants we've seen have mailed .bats inside ZIPs, or .coms, or a few other extremely obvious bad file types that almost no one allows through any more. In fact MyDoom is responsible for us going out of our way to explicitly reject a few 'no one would be crazy enough to send this, especially outside a ZIP file' file types. Perhaps this is overkill but who knows, perhaps someday there will be another mutation that our commercial anti-spam system doesn't recognize.

(That this was detected as malware instead of being rejected for file types does mean that yes, we weren't rejecting .scr file attachments. Probably I should fix that. Sadly this kind of work can be a never ending whack-a-mole saga as you just find more and more bad file types to block. I would kind of like to stop paying attention to this at some point, but the usual problem is in effect here; having created logs, I feel a compulsion to look at them.)

Written on 02 October 2016.
« Some git repository manipulations that I don't know how to do well
Why I've put a Twitter client on my smartphone »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 2 01:36:56 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.