SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8568fdffff 89442404 c7042402020000 e8???????? 83ec08 }
            // n = 5, score = 100
            //   8d8568fdffff         | lea                 eax, [ebp - 0x298]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   c7042402020000       | mov                 dword ptr [esp], 0x202
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8

        $sequence_1 = { 85c0 0f8434020000 803b05 7506 807b0200 740a }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f8434020000         | je                  0x23a
            //   803b05               | cmp                 byte ptr [ebx], 5
            //   7506                 | jne                 8
            //   807b0200             | cmp                 byte ptr [ebx + 2], 0
            //   740a                 | je                  0xc

        $sequence_2 = { 891c24 e8???????? 895c2408 c744240496000000 8d9d48ffffff 891c24 e8???????? }
            // n = 7, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   c744240496000000     | mov                 dword ptr [esp + 4], 0x96
            //   8d9d48ffffff         | lea                 ebx, [ebp - 0xb8]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     

        $sequence_3 = { 83ec0c 89c3 83f8ff 7527 8d45e6 }
            // n = 5, score = 100
            //   83ec0c               | sub                 esp, 0xc
            //   89c3                 | mov                 ebx, eax
            //   83f8ff               | cmp                 eax, -1
            //   7527                 | jne                 0x29
            //   8d45e6               | lea                 eax, [ebp - 0x1a]

        $sequence_4 = { 8db558ffffff 893424 e8???????? c7442404???????? 891c24 e8???????? 895c2408 }
            // n = 7, score = 100
            //   8db558ffffff         | lea                 esi, [ebp - 0xa8]
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   c7442404????????     |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   895c2408             | mov                 dword ptr [esp + 8], ebx

        $sequence_5 = { 55 89e5 53 83ec54 c7442404???????? 8d5db8 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   83ec54               | sub                 esp, 0x54
            //   c7442404????????     |                     
            //   8d5db8               | lea                 ebx, [ebp - 0x48]

        $sequence_6 = { e8???????? 83ec04 8b4308 890424 e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_7 = { 890424 e8???????? 83ec04 b842000000 85db }
            // n = 5, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   b842000000           | mov                 eax, 0x42
            //   85db                 | test                ebx, ebx

        $sequence_8 = { 380a 7415 42 803a00 7406 }
            // n = 5, score = 100
            //   380a                 | cmp                 byte ptr [edx], cl
            //   7415                 | je                  0x17
            //   42                   | inc                 edx
            //   803a00               | cmp                 byte ptr [edx], 0
            //   7406                 | je                  8

        $sequence_9 = { 89442410 c744240c19000200 c744240800000000 895c2404 c7042402000080 }
            // n = 5, score = 100
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   c744240c19000200     | mov                 dword ptr [esp + 0xc], 0x20019
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   c7042402000080       | mov                 dword ptr [esp], 0x80000002

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules