MyDoom (Malware Family)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2018-12-19 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom

2004-04-15 ⋅ SANS GIAC ⋅ Matt Goldencrown
MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom

2004-01-30 ⋅ Applied Watch Technologies ⋅ Eric S. Hines
MyDoom.B Worm Analysis
MyDoom

2004 ⋅ GIAC ⋅ Srinivas Ganti
MyDoom and its backdoor
MyDoom

Yara Rules

[TLP:WHITE] win_mydoom_auto (20211008 | Detects win.mydoom.)

rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.mydoom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9d38ffffff 891c24 e8???????? 895c2408 c744240496000000 8d8558ffffff 890424 }
            // n = 7, score = 100
            //   8d9d38ffffff         | lea                 ebx, dword ptr [ebp - 0xc8]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   c744240496000000     | mov                 dword ptr [esp + 4], 0x96
            //   8d8558ffffff         | lea                 eax, dword ptr [ebp - 0xa8]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_1 = { 09d0 ba00000000 a801 756b 0fbec3 89442408 89742404 }
            // n = 7, score = 100
            //   09d0                 | or                  eax, edx
            //   ba00000000           | mov                 edx, 0
            //   a801                 | test                al, 1
            //   756b                 | jne                 0x6d
            //   0fbec3               | movsx               eax, bl
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   89742404             | mov                 dword ptr [esp + 4], esi

        $sequence_2 = { 81ecf0010000 c7442404???????? 8d9d98feffff 891c24 e8???????? 895c2408 }
            // n = 6, score = 100
            //   81ecf0010000         | sub                 esp, 0x1f0
            //   c7442404????????     |                     
            //   8d9d98feffff         | lea                 ebx, dword ptr [ebp - 0x168]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   895c2408             | mov                 dword ptr [esp + 8], ebx

        $sequence_3 = { 890424 e8???????? 83ec08 8b856cf9ffff 890424 }
            // n = 5, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   8b856cf9ffff         | mov                 eax, dword ptr [ebp - 0x694]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_4 = { 55 89e5 53 83ec5c 0fb64508 8845b7 a1???????? }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   83ec5c               | sub                 esp, 0x5c
            //   0fb64508             | movzx               eax, byte ptr [ebp + 8]
            //   8845b7               | mov                 byte ptr [ebp - 0x49], al
            //   a1????????           |                     

        $sequence_5 = { e8???????? 890424 e8???????? e8???????? 8db40681370000 0fb745e6 2d21030000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8db40681370000       | lea                 esi, dword ptr [esi + eax + 0x3781]
            //   0fb745e6             | movzx               eax, word ptr [ebp - 0x1a]
            //   2d21030000           | sub                 eax, 0x321

        $sequence_6 = { 5d c3 55 89e5 83ec08 c7442404???????? 8b4508 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   c7442404????????     |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_7 = { 0fbe4303 83f803 7459 83f803 }
            // n = 4, score = 100
            //   0fbe4303             | movsx               eax, byte ptr [ebx + 3]
            //   83f803               | cmp                 eax, 3
            //   7459                 | je                  0x5b
            //   83f803               | cmp                 eax, 3

        $sequence_8 = { ffd0 8b15???????? 83eb04 39d3 73eb 8d742600 }
            // n = 6, score = 100
            //   ffd0                 | call                eax
            //   8b15????????         |                     
            //   83eb04               | sub                 ebx, 4
            //   39d3                 | cmp                 ebx, edx
            //   73eb                 | jae                 0xffffffed
            //   8d742600             | lea                 esi, dword ptr [esi]

        $sequence_9 = { 49 c744241000000000 8d85c4fdffff 8944240c 894c2408 89742404 891c24 }
            // n = 7, score = 100
            //   49                   | dec                 ecx
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   8d85c4fdffff         | lea                 eax, dword ptr [ebp - 0x23c]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   891c24               | mov                 dword ptr [esp], ebx

    condition:
        7 of them and filesize < 114688
}

Download all Yara Rules

MyDoom Propose Change

References

Yara Rules

MyDoom