Mydoom.A is a worm that spreads via e-mail in a message with variable characteristics and through the peer-to-peer (P2P) file sharing program KaZaA. Mydoom.A launches DDoS (Distributed Denial of Service) attacks against the website www.sco.com if the system date is between February 1 and February 12, 2004. It does this by launching GET/ HTTP/ 1.1 requests every 1,024 milliseconds. On February 12, 2004, the worm finishes its payload, ending its execution whenever it is activated. Mydoom.A drops the DLL (Dynamic Link Library) SHIMGAPI.DLL, which creates a backdoor, opening the first available TCP port in the range from 3127 to 3198. This backdoor component allows to download and run an executable file, and acts as a TCP proxy server, allowing a hacker to gain remote access to network resources. Note: on February 10, 2004, a new variant of this worm was detected by PandaLabs. This new variant carries out the same actions as the original, but it is compressedUPX. |