{
	"id": "00c989f2-fa4e-4145-a37d-1fb46712cc74",
	"created_at": "2026-04-06T15:52:39.00901Z",
	"updated_at": "2026-04-10T13:12:34.158125Z",
	"deleted_at": null,
	"sha1_hash": "c98c01278d7451bee28319fd24debde05324e92e",
	"title": "MyDoom Still Active in 2019",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1591354,
	"plain_text": "MyDoom Still Active in 2019\r\nBy Brad Duncan\r\nPublished: 2019-07-26 · Archived: 2026-04-06 15:48:34 UTC\r\nExecutive Summary\r\nMyDoom is an infamous computer worm first noted in early 2004. This malware has been featured in top ten lists\r\nof the most destructive computer viruses, causing an estimated $38 billion in damage. Although now well past its\r\nheyday, MyDoom continues to be a presence in the cyber threat landscape.\r\nWhile not as prominent as other malware families, MyDoom has remained relatively consistent during the past\r\nfew years, averaging approximately 1.1 percent of all emails we see with malware attachments. We continue to\r\nrecord tens of thousands of MyDoom samples every month. The vast majority of MyDoom emails come from IP\r\naddresses registered in China, with the United States running a distant second. These emails are sent to recipients\r\nacross the world, mostly targeting high tech, wholesale, retail, healthcare, education, and manufacturing\r\nindustries.\r\nThis blog tracks MyDoom activity in recent years and focuses on trends during the first six months of 2019.\r\n2015 through 2018\r\nMyDoom's method of propagation is through email using SMTP. We compared emails containing MyDoom\r\nattachments with emails containing any type of malware attachment. In the four-year period from 2015 through\r\n2018, an average of 1.1 percent of malicious emails contained MyDoom. When reviewing individual malware\r\nsamples during the same period, MyDoom held an average of 21.4 percent for all individual malware attachments\r\nseen through malicious emails.\r\nWhy is the percentage of MyDoom emails so much lower than the percentage of MyDoom attachments? Because\r\nmany malicious email campaigns carry the same malware sample across messages to hundreds or thousands of\r\nrecipients. MyDoom is polymorphic and tends to have different file hashes for each of the emails we find.\r\nTherefore, while the number of MyDoom emails is relatively low, the number of samples is comparatively higher\r\nwhen compared to other malware distributed through email. Table 1 contains the statistics for 2015 through 2018.\r\nYear\r\nMyDoom\r\nemails\r\nTotal emails\r\nwith malware\r\n% of\r\nMyDoom\r\nemails\r\nMyDoom\r\nsamples\r\nTotal\r\nmalware\r\nsamples\r\n% of\r\nMyDoom\r\nsamples\r\n2015 574,674 27,599,631 2.1% 87,119 615,386 14.2%\r\n2016 589,107 77,575,376 0.8% 142,659 960,517 14.9%\r\n2017 309,978 79,599,864 0.4% 95,115 340,433 27.9%\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 1 of 12\n\n2018 663,212 64,919,295 1.0% 150,075 528,306 28.4%\r\nTable 1. MyDoom statistics from 2015 through 2018.\r\nImage 1. MyDoom activity levels in 2015.\r\nImage 2. MyDoom activity levels in 2016.\r\nImage 3. MyDoom activity levels in 2017.\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 2 of 12\n\nImage 4. MyDoom activity levels in 2018.\r\nMyDoom Activity in 2019\r\nThe first six months of 2019 for MyDoom activity reveals a similar average compared to all of 2018, with a\r\nslightly higher percentage of both emails and malware samples. See Table 2 for details.\r\nYear\r\nMyDoom\r\nemails\r\nTotal emails\r\nwith malware\r\n% of\r\nMyDoom\r\nemails\r\nMyDoom\r\nsamples\r\nTotal\r\nmalware\r\nsamples\r\n% of\r\nMyDoom\r\nsamples\r\nJan-Jun\r\n2019\r\n465,896 41,002,585 1.1% 92,932 302,820 30.1%\r\nTable 2. MyDoom statistics in the first six months of 2019.\r\nImage 5. MyDoom activity levels in the first six months of 2019.\r\n574 MyDoom samples appeared across more than one month, so the total number of MyDoom malware samples\r\nin Table 3 below is different than the total of MyDoom samples in the six-month period taken as a whole in the\r\nprevious table.\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 3 of 12\n\nMonth MyDoom emails MyDoom malware samples\r\nJan 2019 54,371 14,441\r\nFeb 2019 47,748 11,566\r\nMar 2019 80,537 18,789\r\nApr 2019 92,049 17,278\r\nMay 2019 113,037 15,586\r\nJun 2019 78,154 15,846\r\nTable 3. MyDoom month to month statistics in the first six months of 2019.\r\nImage 6. Graph charting MyDoom activity from January through June of 2019.\r\nWhere have these emails come from? IP addresses of the top ten countries we saw during the first six months of\r\n2019 were:\r\nChina: 349,454 emails\r\nUnited States: 18,590 emails\r\nGreat Britain: 10,151 emails\r\nVietnam: 4,426 emails\r\nRepublic of Korea (South Korea): 2,575 emails\r\nSpain: 2,154 emails\r\nRussia: 1,007 emails\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 4 of 12\n\nIndia: 657 emails\r\nTaiwan: 536 emails\r\nKazakhstan: 388 emails\r\nImage 7. Countries that MyDoom emails have appeared from during the first six months of 2019.\r\nTargeted countries were more varied and evenly distributed than the source countries. Top ten targeted countries\r\nwere:\r\nChina: 72,713 emails\r\nUnited States: 56,135 emails\r\nTaiwan: 5,628 emails\r\nGermany: 5,503 emails\r\nJapan: 5,105 emails\r\nSingapore: 3,097 emails\r\nRepublic of Korea: 1,892 emails\r\nRomania: 1,651 emails\r\nAustralia: 1,295 emails\r\nGreat Britain: 1,187 emails\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 5 of 12\n\nImage 8. Targeted countries of MyDoom emails during the first six months of 2019.\r\nThe top ten verticals hit during this period were:\r\nHigh Tech: 212,641 emails\r\nWholesale and Retail: 84,996 emails\r\nHealthcare: 49,782 emails\r\nEducation: 37,961 emails\r\nManufacturing: 32,429 emails\r\nProfessional and Legal Services: 19,401 emails\r\nTelecommunications: 4,125 emails\r\nFinance: 2,259 emails\r\nTransportation and Logistics: 1,595 emails\r\nInsurance: 796 emails\r\nThese results are skewed likely towards our customer base. However, this data indicates that China and the United\r\nStates are the source of most MyDoom emails and rank highest as the most targeted countries.\r\nCharacteristics of MyDoom\r\nMyDoom distribution has had similar characteristics for years now. In February 2019, Cylance analyzed a sample\r\nof MyDoom, and current MyDoom samples follow similar characteristics. Emails distributing MyDoom are\r\ngenerally disguised as reports that an email was not delivered, with subject lines such as:\r\nDelivery failed\r\nDelivery reports about your e-mail\r\nMail System Error - Returned Mail\r\nMESSAGE COULD NOT BE DELIVERED\r\nRETURNED MAIL: DATA FORMAT ERROR\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 6 of 12\n\nReturned mail: see transcript for details\r\nHowever, we also frequently see MyDoom emails with random alphabetic characters in the subject line. MyDoom\r\nemails also use other subject lines like:\r\nClick me baby, one more time\r\nhello\r\nHi\r\nsay helo to my litl friend\r\nFigures 8, 9, and 10 show screenshots of MyDoom email samples from July 2019.\r\nFigure 8. Example of a MyDoom email from July 2019 (1 of 3).\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 7 of 12\n\nFigure 9. Example of a MyDoom email from July 2019 (2 of 3).\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 8 of 12\n\nFigure 10. Example of a MyDoom email from July 2019 (3 of 3).\r\nAttachments from these MyDoom emails are executable files, or they are zip archives that contain executable\r\nfiles. MyDoom malware turns an infected Windows host into a malicious spambot, which then sends MyDoom\r\nemails to various email addresses. This will happen even if the infected Windows host does not have a mail client.\r\nAnother characteristic of MyDoom is attempted connections to various IP addresses over TCP port 1042.\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 9 of 12\n\nFigure 11. Emails traffic from a host infected with MyDoom on July 15th, 2019.\r\nFigure 12. Attempted connections over TCP port 1042 from a host infected with MyDoom.\r\nOn a Windows 7 host, MyDoom makes a copy of itself in the user's AppData\\Local\\Temp directory as lsass.exe,\r\nbut the malware is not made persistent in the Windows registry. On a Windows XP host, the MyDoom executable\r\nmakes a copy of itself at C:\\Windows\\lsass.exe and is made persistent through the Windows registry in the\r\nHKEY_LOCAL_MACHINE hive with a key named Traybar at\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run as shown in Figure 13.\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 10 of 12\n\nFigure 13. MyDoom persistent on a Windows XP host.\r\nConclusion\r\nFirst seen in 2004, MyDoom is still active today-- a testament to its original destructiveness. Enough\r\ninfrastructure has remained infected throughout the years that we continue to see MyDoom in today's threat\r\nlandscape. Although a relatively small percentage of malware-based emails contain MyDoom, this malware\r\nremains a constant presence.\r\nBased on our data, MyDoom-infected infrastructure resides at IP addresses mostly belonging to China, with the\r\nUnited States running a distant second. Both China and the United States are the primary recipients of MyDoom\r\nemails, although the distribution remains global and targets many other countries. High tech is the most frequently\r\ntargeted industry.\r\nPalo Alto Networks customers are protected from MyDoom by our threat prevention platform which easily detects\r\nthis malware. AutoFocus users can track MyDoom attempts by using the MyDoom tag.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nMyDoom EXE Samples from July 2019\r\n1b46afe1779e897e6b9f3714e9276ccb7a4cef6865eb6a4172f0dd1ce1a46b42\r\n48cf912217c1b5ef59063c7bdb93b54b9a91bb6920b63a461f8ac7fcff43e205\r\n50dfd9af6953fd1eba41ee694fe26782ad4c2d2294030af2d48efcbcbfe09e11\r\n6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596\r\n9e4c6410ab9eda9a3d3cbf23c58215f3bc8d3e66ad55e40b4e30eb785e191bf8\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 11 of 12\n\nSource: https://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nhttps://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/"
	],
	"report_names": [
		"mydoom-still-active-in-2019"
	],
	"threat_actors": [],
	"ts_created_at": 1775490759,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c98c01278d7451bee28319fd24debde05324e92e.pdf",
		"text": "https://archive.orkl.eu/c98c01278d7451bee28319fd24debde05324e92e.txt",
		"img": "https://archive.orkl.eu/c98c01278d7451bee28319fd24debde05324e92e.jpg"
	}
}