MyDoom is an infamous computer worm first noted in early 2004. This malware has been featured in top ten lists of the most destructive computer viruses, causing an estimated $38 billion in damage. Although now well past its heyday, MyDoom continues to be a presence in the cyber threat landscape.
While not as prominent as other malware families, MyDoom has remained relatively consistent during the past few years, averaging approximately 1.1 percent of all emails we see with malware attachments. We continue to record tens of thousands of MyDoom samples every month. The vast majority of MyDoom emails come from IP addresses registered in China, with the United States running a distant second. These emails are sent to recipients across the world, mostly targeting high tech, wholesale, retail, healthcare, education, and manufacturing industries.
This blog tracks MyDoom activity in recent years and focuses on trends during the first six months of 2019.
2015 through 2018
MyDoom’s method of propagation is through email using SMTP. We compared emails containing MyDoom attachments with emails containing any type of malware attachment. In the four-year period from 2015 through 2018, an average of 1.1 percent of malicious emails contained MyDoom. When reviewing individual malware samples during the same period, MyDoom held an average of 21.4 percent for all individual malware attachments seen through malicious emails.
Why is the percentage of MyDoom emails so much lower than the percentage of MyDoom attachments? Because many malicious email campaigns carry the same malware sample across messages to hundreds or thousands of recipients. MyDoom is polymorphic and tends to have different file hashes for each of the emails we find. Therefore, while the number of MyDoom emails is relatively low, the number of samples is comparatively higher when compared to other malware distributed through email. Table 1 contains the statistics for 2015 through 2018.
Year | MyDoom emails | Total emails with malware | % of MyDoom emails | MyDoom samples | Total malware samples | % of MyDoom samples |
2015 | 574,674 | 27,599,631 | 2.1% | 87,119 | 615,386 | 14.2% |
2016 | 589,107 | 77,575,376 | 0.8% | 142,659 | 960,517 | 14.9% |
2017 | 309,978 | 79,599,864 | 0.4% | 95,115 | 340,433 | 27.9% |
2018 | 663,212 | 64,919,295 | 1.0% | 150,075 | 528,306 | 28.4% |
Table 1. MyDoom statistics from 2015 through 2018.
Image 1. MyDoom activity levels in 2015.
Image 2. MyDoom activity levels in 2016.
Image 3. MyDoom activity levels in 2017.
Image 4. MyDoom activity levels in 2018.
MyDoom Activity in 2019
The first six months of 2019 for MyDoom activity reveals a similar average compared to all of 2018, with a slightly higher percentage of both emails and malware samples. See Table 2 for details.
Year | MyDoom emails | Total emails with malware | % of MyDoom emails | MyDoom samples | Total malware samples | % of MyDoom samples |
Jan-Jun 2019 | 465,896 | 41,002,585 | 1.1% | 92,932 | 302,820 | 30.1% |
Table 2. MyDoom statistics in the first six months of 2019.
Image 5. MyDoom activity levels in the first six months of 2019.