SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83ec34 8b5d08 c745f404000000 c745ec04000000 8d45f8 89442410 }
            // n = 6, score = 100
            //   83ec34               | sub                 esp, 0x34
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   c745f404000000       | mov                 dword ptr [ebp - 0xc], 4
            //   c745ec04000000       | mov                 dword ptr [ebp - 0x14], 4
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_1 = { 8d9dc8feffff 891c24 e8???????? c744240c14000000 c7442408???????? }
            // n = 5, score = 100
            //   8d9dc8feffff         | lea                 ebx, [ebp - 0x138]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   c744240c14000000     | mov                 dword ptr [esp + 0xc], 0x14
            //   c7442408????????     |                     

        $sequence_2 = { 7547 c70424???????? e8???????? bf???????? fc b9ffffffff b000 }
            // n = 7, score = 100
            //   7547                 | jne                 0x49
            //   c70424????????       |                     
            //   e8????????           |                     
            //   bf????????           |                     
            //   fc                   | cld                 
            //   b9ffffffff           | mov                 ecx, 0xffffffff
            //   b000                 | mov                 al, 0

        $sequence_3 = { 8b0d???????? 85c9 7546 31db 89d8 8d65f8 5b }
            // n = 7, score = 100
            //   8b0d????????         |                     
            //   85c9                 | test                ecx, ecx
            //   7546                 | jne                 0x48
            //   31db                 | xor                 ebx, ebx
            //   89d8                 | mov                 eax, ebx
            //   8d65f8               | lea                 esp, [ebp - 8]
            //   5b                   | pop                 ebx

        $sequence_4 = { e8???????? 83ec04 668985fafeffff 8dbd38ffffff }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   668985fafeffff       | mov                 word ptr [ebp - 0x106], ax
            //   8dbd38ffffff         | lea                 edi, [ebp - 0xc8]

        $sequence_5 = { c744240802000000 8b4518 89442404 893424 e8???????? ba00000000 eb20 }
            // n = 7, score = 100
            //   c744240802000000     | mov                 dword ptr [esp + 8], 2
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   ba00000000           | mov                 edx, 0
            //   eb20                 | jmp                 0x22

        $sequence_6 = { 0fb745e6 668945ca c744240810000000 8d45c8 }
            // n = 4, score = 100
            //   0fb745e6             | movzx               eax, word ptr [ebp - 0x1a]
            //   668945ca             | mov                 word ptr [ebp - 0x36], ax
            //   c744240810000000     | mov                 dword ptr [esp + 8], 0x10
            //   8d45c8               | lea                 eax, [ebp - 0x38]

        $sequence_7 = { 891c24 e8???????? ebe7 55 89e5 53 }
            // n = 6, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   ebe7                 | jmp                 0xffffffe9
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx

        $sequence_8 = { ba00000000 85c0 0f841b010000 c745d805040003 0fb645d7 8845ec c744240805000000 }
            // n = 7, score = 100
            //   ba00000000           | mov                 edx, 0
            //   85c0                 | test                eax, eax
            //   0f841b010000         | je                  0x121
            //   c745d805040003       | mov                 dword ptr [ebp - 0x28], 0x3000405
            //   0fb645d7             | movzx               eax, byte ptr [ebp - 0x29]
            //   8845ec               | mov                 byte ptr [ebp - 0x14], al
            //   c744240805000000     | mov                 dword ptr [esp + 8], 5

        $sequence_9 = { c7042402020000 e8???????? 83ec08 ba00000000 85c0 0f85a1010000 c744240800000000 }
            // n = 7, score = 100
            //   c7042402020000       | mov                 dword ptr [esp], 0x202
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   ba00000000           | mov                 edx, 0
            //   85c0                 | test                eax, eax
            //   0f85a1010000         | jne                 0x1a7
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules