Update reaction times
Andreas Marx, of AV-Test.org, performed a thorough analysis of the situation for PC-Welt magazine. To perform the analysis, AV-Test.org routinely and automatically checks all antivirus vendor websites every 5 minutes for new updates, downloads them and stores the files in their archive. When an outbreak is detected, AV-Test.org will test all the antivirus products based on these stored updates, to determine whether they were able to either heuristically detect the new threat and/or the time when updates for detection first became available.
Using data provided by MessageLabs as the start point, Andreas was able to determine that the first copy of the MyDoom worm was stopped at 13:05 GMT. However, it was not until 22:35 GMT that the first commercial updates were available that detected both the DLL and EXE components of the worm. This update was from Trend Micro. While both McAfee and Symantec had BETA releases available approximately a half hour prior to Trend's release, BETA releases aren't automatic updates and thus aren't accessible to a vast majority of users. Further, Symantec's BETA release included only detection for the EXE dropped by MyDoom, not the backdoor DLL also unleashed by the worm. F-Prot also released partial detection slightly before Trend's, however, like Symantec it detected only the EXE dropped by MYDoom and not the backdoor component. The PC-Welt report revealed that a full 11 hours had passed before Symantec released commercial updates for detection, and that udpate still was incapable of detecting the backdoor DLL. A total of fourteen and a half hours passed before Symantec provided detection capable of detecting both aspects of the worm. McAfee fared even worse, not releasing commercial updates until 15 hours after the discovery of the worm.
However, the lapsed time before updates is not necessarily the fault of the respective vendors. Though MessageLabs reports initially seeing two copies of the worm at 13:05 GMT, it was several hours before actual outbreak numbers of the worm were detected. Though it's difficult to determine exactly when vendors were first notified, it appears that may have occurred four or even six hours after the initial detection. Obviously, the antivirus vendors require both timely notification and samples in order to address a new threat. Of course, it's equally important to note that MessageLabs - as an email service provider - is routinely among the first to detect a new worm or Trojan traveling via email. The vast majority of these never go beyond a small handful of what are known as "seed mails". In the case of MyDoom, it was not until a few hours had passed that the number of infected emails surged beyond the normal "seeding variety" and became a significant enough threat to warrant immediate action. The situation was worsened by other high-profile worms detected on or near that same date, notably Mimail.Q and Dumaru.Y.
AV-Test.org's Andreas Marx expressed concern for the impact on affected users, particularly those who initially received faulty detection updates, "Obviously, we were surprised to discover the errors when we performed our tests and we notified the vendors immediately. Unfortunately, some of them weren't able to get proper defintions out until as much as 24 hours later. This meant that anyone who became infected from the worm, and cleaned it with one of the affected products, could still be harboring the backdoor component."
Within days of the MyDoom discovery, various tools were released on the Internet which exploit the backdoor left by the worm.
