top of page
Image by Markus Winkler

MyDoom Worm

Malware Dissection Playbook

MyDoom is one of the most damaging worms ever discovered, first seen in 2004 spreading through malicious email attachments and peer-to-peer networks. At its peak, it powered a spam botnet responsible for nearly 25% of global email traffic.

The worm enabled mass spam campaigns, large-scale DDoS attacks, and backdoor access for remote control. While infections still persist in parts of Southeast Asia due to outdated systems, MyDoom is largely tied to cybercriminal activity rather than state actors.

Analysis

  1. Victim opens malicious email attachment (.exe disguised as .txt or .zip).

  2. Worm executes and copies itself to system directories.

  3. Harvests Outlook address book → mass-mails itself to new victims.

  4. Opens a backdoor (TCP 3127) for remote operator control.

  5. Joins a spam/DDoS botnet.

Execution Chain

Persistence

  • Copies itself into system folders (%WinDir%\system32\) with random names.

  • Creates registry run keys:

    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon

Evasion

  • Avoids infecting systems with .ru domains (to evade local law enforcement).

  • Uses randomized filenames to evade static detection.

  • Polymorphic variants released quickly after takedowns.

Networking

  • Spam engine floods SMTP servers with mass mail.

  • Opens TCP port 3127 as a remote control backdoor.

  • Used botnet for DDoS campaigns against targets like SCO Group and Microsoft.

IOC's and Artifacts 

This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.

 

Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.

File Artifacts

  • C:\Windows\system32\taskmon.exe (worm copy)

  • Randomized .exe names dropped in system folders

 

 

Registry Persistence

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon

​

​

Patterns:

  • Spread via malicious email attachments (subjects like “Error”, “Mail Delivery System”)

  • Also spread via P2P (Kazaa) under enticing filenames

  • Opens TCP 3127 for backdoor access

  • SMTP spam engine → floods email servers

​

IPs and Domains:

  • Many early C2s were hardcoded and long since defunct.

  • Used peer-to-peer and hardcoded IP ranges for updates.

 

Refrences:

Securelist (Kaspersky) — The MyDoom Legacy

MITRE ATT&CK — Worm techniques: Email propagation, Registry persistence, Port opening

YourStory — The Worst Computer Virus of All Time: A Digital Plague Still Spreading

SmarterMSP — Tech Time Warp: Santy comes to town

​

bottom of page