The infection rate for the world’s fastest growing email virus ever is subsiding, but security
experts say the risk of new attacks is not
Steve Marcus / Reuters
The MyDoom-B virus is set up to launch coordinated
attacks on Microsoft from the computers it infects
WEB EXCLUSIVE
By Jennifer Barrett
Updated: 4:23 p.m. ETFeb. 3, 2004
It was nearly 4
p.m. last Monday when the first suspicious-looking email popped up on Richard Wang’s computer screen. Ten
minutes later, a similar message arrived with the familiar “error” subject line and an icon indicating an attachment.
The next arrived two minutes later. As a virus researcher at security firm Sophos’s new anti-virus lab in Massachusetts,
Wang sorts through a lot of suspect email each day—most of it forwarded by customers or other security firms to be examined.
“But once you see three or four of these in that short a time period, you start to think this is going to be something
big,” he says. By the time the fourth email arrived, Wang remembers thinking, “I’m going to be late for
dinner tonight.”
Meanwhile, on the West Coast, his counterpart
at McAfee Avert, Craig Schmugar, was seeing two to four new suspicious-looking emails every time he refreshed his screen.
“There was a sudden rush in emails we had never seen before,” says Schmugar, who is credited with co-discovering
the virus. He named it MyDoom after spotting a line of text that included “mydom” (short for “my domain")
in the virus code. “ It was evident early on that this would be very big,” he says. “I thought having `doom’
in the name would be appropriate.”
Was it ever. MyDoom—and its variation,
MyDoom-B, released two days later—soon become the fastest spreading email virus in Internet history, extending into
more than two dozen countries and infecting at least 500,000 machines over the past week. According to the security firm mi2g,
damage estimates from the virus now range as high as $38.5 billion, taking into account everything from overtime pay to loss
of business and bandwidth, as well as the cost of recovery and software upgrades. While some say that estimate may be
too high, security analysts agree that the damage is in the billions.
And the worm’s work isn’t
done yet.
Unlike some past viruses, MyDoom isn’t
aimed at disabling victims’ computers or erasing their files (though it does disrupt email service and prevents victims
from contacting many of the Web sites that offer anti-virus protection.) In fact, victims may not even be aware that their
computer has been infected unless they run an anti-virus scan.
“The worst viruses [like MyDoom],”
says Wang, “aren’t interested in messing up your personal files or crashing your email system. They want
to steal your bandwidth—take over your computer, basically—to use your PC for nefarious purposes, so it can’t
be tracked back to theirs.”
The MyDoom worm was designed to launch
later attacks from infected computers against two corporate targets: the SCO Group and Microsoft. SCO, a Utah-based software
maker, earned the ire of Linux lovers—and became a regular target of attacks last year—for launching a patent
claim against the freely available operating system. And as the world’s largest software maker, Microsoft is also a
common target of hackers and virus writers.
MyDoom launched its first wave of attacks
from an estimated 50,000 or more infected computers that were turned on this weekend. It was enough to shut down the SCO Group’s
Web site. Microsoft was bracing itself Tuesday for the launch of similar, if fewer, denial-of-service attacks from MyDoom-B,
which is set to run through the end of the month. The company even preemptively set up a back-up site just in case its main
site is disabled. “We are doing everything we can to ensure that Microsoft properties remain fully available to our
customers,” says Stephen Toulouse, security program manager at the Microsoft Security Response Center.
That includes offering a $250,000 reward
for information leading to the capture of whoever is behind the MyDoom attack—a reward SCO is offering as well. Microsoft
has offered the quarter-million-dollar rewards only twice before, for those behind last year’s MSBlast.A worm and Sobig
virus. The offers are part of its new Anti-Virus Reward Program, launched late last fall with $5 million. Still, despite the
rewards, and the FBI’s participation in the investigation into the MyDoom worm, no suspect has yet been identified.
And Jeff Carlon, director of worldwide
IT infrastructure at the SCO Group, predicts hundreds more attacks on his Web site through next Thursday, when the first worm
expires. Through a statement, he said the company “has developed layers of contingency plans to communicate with our
valued customers, resellers, developers, partners and shareholders.” That includes directing customers to a new Web
site (thescogroup.com) as its technicians work to bring the original site back online.
For the most part though, security
experts say the worst may be over. The number of new MyDoom infections has dropped significantly in the past few days to about
one-third the rate of reported infections happening a week ago, according to the anti-virus software firm Symantec. McAfee’s
Schmugar says the number of those computers cleaning out the virus is now higher than those reporting new infections.
But don’t breathe too easy yet.
“Unfortunately, one thing you
can predict is that you will see more medium to high threats like this coming through this year,” says Vincent Weafer,
senior director for Symantec Security Response. Home users and small businesses are particularly vulnerable.
“They remember and are diligent
about updating their protection after an attack, but then they forget about it,” says Weafer.
Schmugar agrees. “MyDoom has
gotten press and that raises awareness for a period of time but it’s hard to say how long that will last,” he
says. “We’ve learned that people are aware for some period of time and then it fades and they go back to—I
don’t want to say a false sense of security—but to their previous comfort level, perhaps. More people open an
attachment they might not otherwise.”
And that may be all it takes to unleash
the next MyDoom.
F-Secure is downgrading the alert level on Mydoom.A since it reached
its deadline.
The worm was programmed to stop spreading after February 12th, 2004.
Update on February 10th, 2004
A new minor variant of Mydoom was found on 10th of February 2004. We
detect it automatically as "Mydoom.A". Some other products might detect it as "Mydoom.D". It's the original Mydoom with a
different packer applied to it, and one of the messages it sends has been patched to say "ROFL HELLO SAM HOWS UPZ. Partial
message is available."
Update on January 27th, 2004
F-Secure is upgrading the Mydoom (Novarg) worm to Level 1 because of
increased infection reports around the world. The worm sends email attachments with a random name ending with ZIP, BAT, CMD,
EXE, PIF or SCR extension.
Attack follow-up
F-Secure researchers will be monitoring the launch of the DDoS attack
against SCO.COM on 1st of February, 2004. We'll post our findings to our weblog at: http://www.f-secure.com/weblog/
Summary
Mydoom is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up
Windows' Notepad with garbage data in it. In emails, it uses variable subjects, bodies and attachment names. It also performs
a Distributed Denial-of-Service attack on www.sco.com. This attack starts on 1st of February.
The worm opens up a backdoor to infected computers. This is done by
planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE.
Mydoom is programmed to stop spreading on February 12th.
The worm encrypts most of the strings in it's UPX-packed body with
ROT13 method, i.e. the characters are rotated 13 locations to the right in the abecedary, starting from the beginning if the
position is beyond the last letter.
When run the worm will create a mutex with the name "SwebSipcSmtxSO"
to ensure only one instance of itself is running at the same time.
The worm will launch a Notepad window with garbage contents.
The worm will copy itself to the Windows System folder as 'taskmon.exe'
and adds a entry in the registry:
It drops another file, contained encoded in its body and packed with
UPX as:
%sysdir%\shimgapi.dll
This file will sequentially open TCP ports from 3127 to 3198, listening
on them for incoming connections. One of the possibilities this backdoor offers is to receive an additional executable and
run it on the already infected machine.
Expiration date.
When the worm is executed in a date after the Sunday 12th of February
2004 it will exit immediately, without performing any further actions. It will not, however, uninstall itself.
Peer-to-Peer Spreading
The worm will look up form the Windows' Registry the value containing
the users Kazaa shared folder, and it will copy itself to that location with a filename composed from the following list:
The worm collects addresses where to send itself from Windows' Address
Book and from files with extension:
pl
adb
tbb
dbx
asp
php
sht
htm
txt
It try to bypass simple anti-spam protections i.e., like substituting
the '@' symbol for ' at ' and several other combinations.
E-Mail messages sent by the worm have the following characteristics:
Subjects can be any of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Body is one of the following:
test
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
The message contains Unicode characters and has been sent
as a binary attachment.
Mail transaction failed. Partial message is available.
Attachments are composed combining the following names:
document
readme
doc
text
file
data
test
message
body
with the following extensions:
pif
scr
exe
cmd
bat
zip
The ZIP file itself is not harmful when doubleclicked. Inside the zip
you have a copy of the worm, sharing the same file name as the .zip. For example, message.zip contains message.exe.
The sizes of the ZIP files vary, but it's typically around 22kB. The
infected file inside the zip can have double extensions, like "body.htm .pif".
The final message might look like presented in the following picture:
Payload
When the machine is booted after the Sunday 1st of February at 16:09:18
(UTC) (always according to the infected system's clock). A DDoS attack will be launched against SCO website.
The worm will launch 64 threads, each of them requesting the main page
of the website www.sco.com. This process of requesting simultaneously 64 times the page will be repeated roughly every second
(1024 milliseconds) from each of the infected machines throughout the globe. The request is a simple "GET / HTTP/1.1", aimed
to overload their webserver.
Backdoor
The backdoor component of Mydoom.A is dropped to the System Directory
with the filename 'shimgapi.dll'. The file is added to the registy as:
Considering the large volume of the infected emails sent by Mydoom.A
mail server administrators might want to block the worm from entering their mail servers as early as possible.
The ZIP versions of the worm can be detected by matching the first
line of the MIME encoded attachment against one of the following regular expressions
EM Library, part of the Enterprise Manager suite of management tools, allows fully automated web-based installation and updating of Sophos Anti-Virus on a wide range
of platforms. If you're using one of our enterprise solutions and aren't already using EM Library, check it out now. Users
of our small business solutions are automatically updated by Sophos AutoUpdate.
This section helps you to understand how it behaves
W32/MyDoom-A is a worm which spreads by email. When the infected attachment is launched, the worm harvests email addresses
from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL.
W32/MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays
random characters.
W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen
subject line. The emails distributing this worm have the following characteristics.
Subject lines error hello hi mail delivery system mail transaction failed server report status test [random
collection of characters]
Message texts test The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary
attachment The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed.
Partial message is available.
Attachment filenames body data doc document file message readme test [random collection
of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.
W32/MyDoom-A is programmed to not forward itself via email if the recipient email address satisfies various conditions:
The worm will not send itself to email addresses belonging to domains containing the following strings: acketst, arin.,
avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris,
isc.o, isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur,
sendmail, sopho, syma, tanford.e, unix, usenet, utgers.ed
As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies
and Microsoft.
The worm will not send itself to email addresses in which the username contains the following strings: abuse, anyone,
bugs, ca, contact, feste, gold-certs, help, info, me, no, noone, nobody, not, nothing, page, postmaster, privacy, rating,
root, samples, secur, service, site, spm, soft, somebody, someone, submit, the.bat, webmaster, you, your, www
The worm will not send itself to email addresses which contain the the following strings: admin, accoun, bsd, certific,
google, icrosoft, linux, listserv, ntivi, spam, support, unix
The worm can also copy itself into
the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension: activation_crack icq2004-final nuke2004 office_crack rootkitXP strip-girl-2.0bdcom_patches winamp5
W32/MyDoom-A creates a file called taskmon.exe in the system or temp folder and adds the following registry entry to run
this file every time Windows starts up:
Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.
W32/MyDoom-A also drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the
worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is run on startup:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ Default= "<location of dll>"
The worm will also add the following entries to the registry:
Between the 1st and 12th February 2004, the worm will attempt a denial-of-service attempt to www.sco.com, sending numerous
GET requests to the web server.
After the 12th February W32/MyDoom-A will no longer spread, due to an expiry date set in the code. It will, however, still
run the backdoor component.
Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat
from a Category 3 to a Category 2 rating as of March 30, 2004.
W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension
.bat, .cmd, .exe, .pif, .scr, or .zip.
When a computer is infected, the worm sets up a backdoor into the system by
opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy
to gain access to its network resources.
In addition, the backdoor can download and execute arbitrary files.
There
is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at
16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start
the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004.
While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date.
Notes:
Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to
spread.
Virus definitions dated prior to February 4, 2004 will detect this threat as W32.Novarg.A@mm.
Symantec HIDS 4.1.1 Symantec released a LiveUpdate package on January 27, 2004 for users of Symantec HIDS
4.1.1. See the Symantec Host IDS 4.1.1 Security Update 1 for additional information.
Symantec ManHunt Security Update 17 has been released to provide signatures specific to the backdoor activity associated with the W32.Mydoom.A@mm Worm.
DoS
detection via ManHunt Flow Alert Rules: The Symantec Network IDS team recommends that administrators use the Flow Alert Rule
feature to log events for suspicious traffic to the SCO Web site on 2/1/2004 and the Microsoft Web site on 2/3/2004. For detailed
instructions, read the Symantec Knowledge Base at: http://service1.symantec.com/SUPPORT/intrusiondetectkb.nsf/docid/2004012813061253
In addition, Symantec ManHunt 2.2/3.0/3.01 customers can apply the following signature to detect the attempted DoS
against www.sco.com. This DoS will start occurring on February 1, 2004. On February 12, 2004 the worm has a trigger date to
stop spreading. This signature will help in determining from which machines the request is being made.
*******************start
file********************
alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host:
www.sco.com|0d0a0d0a|"; offset:0; dsize:37;)
*************EOF*********************
For more information on creating
custom signatures, refer to the "Symantec ManHunt Administrative Guide: Appendix A Custom Signatures for HYBRID Mode."
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through
the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This
helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses,
such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and
restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded
from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain
browser vulnerabilities are not patched.
Manual Removal Perform
a manual removal if you cannot obtain the tool.
The following instructions pertain to all current and recent Symantec
antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as W32.Mydoom.A@mm.
Delete the values that were added to the registry.
Reregister the webcheck.dll file. (This will remove the registry modifications responsible for loading Shimgapi.dll.)
For
specific details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows Me/XP) If
you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this
feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm,
or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents
outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot
remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on
your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may
detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn
off System Restore, read your Windows documentation, or one of the following articles:
Note: When you are completely finished with the removal procedure and are satisfied that the
threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base
article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions Symantec Security Response
fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain
the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate
servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for
this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S.
business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and
manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to
the Virus Definitions (Intelligent Updater).
3. Restarting the computer in Safe mode or VGA mode
Shut down the
computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
If any files are detected as infected with W32.Mydoom.A@mm, click Delete.
5. Deleting the values from
the registry
WARNING: Symantec strongly recommends
that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data
loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
Click Start, and then click Run. (The Run dialog box appears.)
Note: %System% is a variable that refers to the location of the System
folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
(Windows XP).
Exit the Registry Editor.
6. Reregistering the Webcheck.dll file (This will remove the registry
modifications responsible for loading Shimgapi.dll.)
Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 webcheck.dll
Click OK. When you see the message, "DllRegisterServer in webcheck.dll succeeded," click OK.
Additional information:
When W32.Mydoom.A@mm sends email, it avoids distributing to the domains that contain
any of the following strings:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
accounts that match any of the following strings:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
or accounts that contain any of the following strings:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
The worm also prepends any of the following names to the domain name obtained:
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
Revision History:
March 30, 2004: Downgraded from Category 3 to Category 2 based on decreased rate of submissions.
February 26, 2004: Downgraded from Category 4 to Category 3 based on decreased rate of submissions.
February 5, 2004: Add Symantec Client Security updates.
February 3, 2004:
Renamed to W32.Mydoom.A@mm from W32.Novarg.A@mm.
Added Norton Internet Security and Norton Personal Firewall updates
January 27, 2004:
Updated document with link to removal tool for W32.Novarg.A@mm.
Updated alias information.
Added reference to Symantec HIDS update.
January 30, 2004: Changed manual removal to use the regsvr32 command to reregister the webcheck.dll file rather than do
this in the registry.
January 31, 2004:
Added information regarding additionally spawned threads to perform a DoS attack.
Added information regarding the time at which an attack starts.
Added information regarding the 25% chance that a worm will perform a DoS attack.
Added Symantec ManHunt and SGS updates.
Dr. Doom
Victor von Doom was born in the Balkan nation of Latveria to Werner von Doom, a
gypsy healer, and Cynthia von Doom, a witch. While Victor was still an infant, his mother was killed by a Latverian guardsman
when her spell to rid Latveria of tyranny went horribly awry. Later, when Victor was still a child, his father was hunted
by the authorities for his failure to cure the ruling baron's wife of terminal cancer. Werner von Doom and his son fled, but
the father died of exposure to cold. Anguished by his father's death, the young von Doom vowed to make the entire world pay
for the loss of his parents.
While in the care of Boris, a friend of his father's, the young von Doom discovered
his mother's legacy to him: a chest containing herbs, medicines, and objects said to have magical powers. He saw these artifacts
as his means to gaining power and began learning their uses. Von Doom also began developing his own innate scientific abilities.
For years he traveled the countryside, peddling clever devices and potions he had created to the gullible, knowing that they
would turn worthless soon after he left. Meanwhile, he continued to increase his knowledge, creating robotic duplicates and
fantastic weaponry to elude capture and protect his gypsy people. As his obsession with gaining power and vengeance grew,
von Doom became increasingly distant from his childhood sweetheart, a young beautiful gypsy woman named Valeria, much to her
distress.
The dean of science at State University in America heard of von Doom's astounding
reputation and offered him a scholarship. Travelling to America to take advantage of the university's lab facilities, von
Doom met Reed Richards, a brilliant science student, and the two became intellectual rivals. Sometime later, von Doom was
in the midst of testing a device for interdimensional communication in order to breach the spirit world to contact the spirit
of his dead mother. Von Doom refused to heed the warnings of Richards, who had seen a mistake in von Doom's calculations,
and the machine malfunctioned and exploded, injuring von Doom. While convalescing, von Doom was expelled from the university
and formed the irrational belief that Richards was responsible for the machine's failure.
Believing that his injuries were disfiguring (a fact that remains an unsubstantiated
mystery) Doom left America for the remoteness of Tibet where he hoped to find both refuge from the sight of man and the hidden
secrets of sorcery. Discovered by the Aged Genghis, he was taken in by a group of monks and lived with them for a number of
years, learning their secrets and eventually becoming their master. The monks helped him create a suit of armor and metal
mask which he now wore in his new guise as Doctor Doom, in which he intended to conquer the world. In his haste, von Doom
donned his newly cast mask before it had completely cooled, thereby permanently damaging his entire face.
Leaving the monks, the self-styled Doctor Doom returned to Latveria and worked his
way into favor of the ruling King Vladimir as his scientific advisor. He manipulated events with a robotic duplicate of Prince
Rudolpho so that the king was assassinated and "Rudolpho" abdicated the throne to the "stronger and more able" von Doom. Doom
established a nation of peace and prosperity ruled by a stern dictatorship under his name as "The Master." Sequestered in
the royal castle of Doomstadt, he began to use his mastery of science to create the means to achieve further conquests.
Of course, Doom is a perennial foe of the Fantastic Four. His dealings with Iron
Man involved two memorable two-parters by David Michelinie and Bob Layton. In the first (IM #149-150), von Doom needs
Stark components to boost his time platform. When Iron Man travels to Latveria to reacquire a few of the electronics that
were mistakenly shipped, the two do battle, natch! But, Doom's servant, the scientist Hauptmann, activates Doom's time platform
while the duo are on top of it -- zapping them back to the 12th century! There, IM teams up with King Arthur and his court,
while Doom sides with the evil Morgana Le Fey. The opposing sides do epic battle, the former ultimately winning out. Doom
then proposes that he and IM work together to cannibalize their armors' systems in order to construct a crude time device
which will return them to the present! They of course succeed!
In their second encounter (IM #249-250), two mysterious powerful objects
appear -- one in Latveria and the other at Stark Enterprises in California. Doc Doom wants both of them, so he personally
travels to SE to bargain with Stark. When Stark gives the obvious "no," Doc gives fair warning. Doom's robots attack SE soon
after and Doc obtains the Stark half of the artifact. He soon connects the two halves, and a mysterious black light begins
to ooze out of it. Just then, IM arrives for the stolen half -- but the black light envelopes both he and Doom! They are transported
to the future, the year 2093! A clone of King Arthur is reborn and along with his magician Merlin must save the future Earth
from extinction! The two have summoned Doom and IM to assist. They find they must battle two counterparts of themselves --
Iron Man against a descendant known as Andros Stark in the Iron Man 2020 armor, and Doom vs. himself, kept alive via various mechanical devices! Once the danger is dealt with,
the two are promptly returned to the present.
First IM Appearance: Iron Man #102 (in Dreadknight flashbacks).