MyDoom Still Active in 2019

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

MyDoom is an infamous computer worm first noted in early 2004. This malware has been featured in top ten lists of the most destructive computer viruses, causing an estimated $38 billion in damage. Although now well past its heyday, MyDoom continues to be a presence in the cyber threat landscape.

While not as prominent as other malware families, MyDoom has remained relatively consistent during the past few years, averaging approximately 1.1 percent of all emails we see with malware attachments. We continue to record tens of thousands of MyDoom samples every month. The vast majority of MyDoom emails come from IP addresses registered in China, with the United States running a distant second. These emails are sent to recipients across the world, mostly targeting high tech, wholesale, retail, healthcare, education, and manufacturing industries.

This blog tracks MyDoom activity in recent years and focuses on trends during the first six months of 2019.

2015 through 2018

MyDoom’s method of propagation is through email using SMTP. We compared emails containing MyDoom attachments with emails containing any type of malware attachment. In the four-year period from 2015 through 2018, an average of 1.1 percent of malicious emails contained MyDoom. When reviewing individual malware samples during the same period, MyDoom held an average of 21.4 percent for all individual malware attachments seen through malicious emails.

Why is the percentage of MyDoom emails so much lower than the percentage of MyDoom attachments? Because many malicious email campaigns carry the same malware sample across messages to hundreds or thousands of recipients. MyDoom is polymorphic and tends to have different file hashes for each of the emails we find. Therefore, while the number of MyDoom emails is relatively low, the number of samples is comparatively higher when compared to other malware distributed through email. Table 1 contains the statistics for 2015 through 2018.

Year MyDoom emails Total emails with malware % of MyDoom emails MyDoom samples Total malware samples % of MyDoom samples
2015 574,674 27,599,631 2.1% 87,119 615,386 14.2%
2016 589,107 77,575,376 0.8% 142,659 960,517 14.9%
2017 309,978 79,599,864 0.4% 95,115 340,433 27.9%
2018 663,212 64,919,295 1.0% 150,075 528,306 28.4%

Table 1. MyDoom statistics from 2015 through 2018.

Image 1. MyDoom activity levels in 2015.

Image 2. MyDoom activity levels in 2016.

Image 3. MyDoom activity levels in 2017.

Image 4. MyDoom activity levels in 2018.

MyDoom Activity in 2019

The first six months of 2019 for MyDoom activity reveals a similar average compared to all of 2018, with a slightly higher percentage of both emails and malware samples. See Table 2 for details.

Year MyDoom emails Total emails with malware % of MyDoom emails MyDoom samples Total malware samples % of MyDoom samples
Jan-Jun 2019 465,896 41,002,585 1.1% 92,932 302,820 30.1%

Table 2. MyDoom statistics in the first six months of 2019.

Image 5. MyDoom activity levels in the first six months of 2019.