APT / THREAT GROUP

MyDoom

4
aliases
Last seen:Mar 17, 2026

Intelligence Profile

When executed, the worm opens up Windows' Notepad with garbage data in it. When spreading, the infectious email used to distribute the worm copies use variable subjects, bodies and attachment names.

The worm encrypts most of the strings in it's UPX-packed body with ROT13 method, i.e. the characters are rotated 13 locations to the right in the abecedary, starting from the beginning if the position is beyond the last letter.

Mydoom also performs a Distributed Denial-of-Service attack on www.sco.com. This attack starts on 1st of February.

The worm opens up a backdoor to infected computers. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE.

Mydoom is programmed to stop spreading on February 12th.

Threat Analysis

MyDoom is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases4

Also Known As

win.mydoomMyDoomNovargMimail

External Intelligence

Malpedia: win.mydoom

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
MyDoom — APT / Threat Group | Threat Intelligence | CTIWATCH.COM