MyDoom Worm is Still Alive

Delaware, USA – July 30, 2019 – The fifteen-year-old worm is not just alive but also generates more than 1% of emails with malicious attachments worldwide. Now, of course, it is less of a threat than in 2004, but its capabilities and polymorphic nature leave malware “afloat”. A recent analysis by Brad Duncan, Palo Alto Networks Unit 42, shows that the MyDoom email worm remains in the top ten of the most destructive malware, and caused tens of billions of dollars damage throughout its existence. MyDoom worm is distributed via email attachments, executables or their archived versions. After the system is infected, the malware collects email addresses saved on the machine and starts sending malicious emails disguised as delivery reports from spoofed email addresses. The worm also attempts to connect to IP addresses over TCP port 1042 and opens a backdoor on TCP ports 3127 through 3198. Later, attackers can connect to the system to infect it with other malware.

Since this spring, there has been a surge in the activity of MyDoom email worm, the most its targets are located in China and the United States. On average, 80-110 thousand malicious emails are sent a month, targeting various industries. For 15 years, the malware has not been destroyed, and there are still dozens of thousands of infected systems with open ports in the world that send malicious emails. To detect this worm, you can use the free rules for multiple security platforms available on the Threat Detection Marketplace.
MyDoom Email Worm Detector (Sysmon Behavior) – Rule by Lee Archinal: https://tdm.socprime.com/tdm/info/2303/