The MyDoom worm is still out there
One of the interesting things that happens when you start paying attention to attachment types and tracking detected malware is that, well, you stumble over some things you didn't expect. So there I was, looking at our listing of recently rejected malware, when I saw:
[...] rejected 1bqFNH-0008Cv-8D from firstname.lastname@example.org to <redacted>: identified virus: W32/MyDoom-O
MyDoom is infamous, but it's also old; it dates from 2004. It's now more than ten years later and some computers are still sending MyDoom variants around to people. This is both an impressive testimony to the tenaciousness of certain sorts of things and a depressing sign of how slow security updates are to propagate around. Since we've been sent multiple MyDoom messages since we started logging these, there are clearly still a decent number of infected machines out there spewing malware spam out into the world.
This particular example is probably authentically old, as it was
trying to mail a
.scr file that wasn't even inside a ZIP archive.
Other variants we've seen have mailed
.bats inside ZIPs, or
.coms, or a few other extremely obvious bad file types that almost
no one allows through any more. In fact MyDoom is responsible for
us going out of our way to explicitly reject a few 'no one would
be crazy enough to send this, especially outside a ZIP file' file
types. Perhaps this is overkill but who knows, perhaps someday there
will be another mutation that our commercial anti-spam system doesn't
(That this was detected as malware instead of being rejected for file
types does mean that yes, we weren't rejecting
.scr file attachments.
Probably I should fix that. Sadly this kind of work can be a never
ending whack-a-mole saga as you just find more and more bad file types
to block. I would kind of like to stop paying attention to this at some
point, but the usual problem is in effect
here; having created logs, I feel a compulsion to look at them.)