SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20221125 | Detects win.mydoom.)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.mydoom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 890424 e8???????? eb77 8d7dc8 fc b904000000 }
            // n = 6, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   eb77                 | jmp                 0x79
            //   8d7dc8               | lea                 edi, [ebp - 0x38]
            //   fc                   | cld                 
            //   b904000000           | mov                 ecx, 4

        $sequence_1 = { 8d8598feffff 89442404 8b8594feffff 890424 e8???????? 83ec18 8b8594feffff }
            // n = 7, score = 100
            //   8d8598feffff         | lea                 eax, [ebp - 0x168]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b8594feffff         | mov                 eax, dword ptr [ebp - 0x16c]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   8b8594feffff         | mov                 eax, dword ptr [ebp - 0x16c]

        $sequence_2 = { c7442404???????? 8d9d68ffffff 891c24 e8???????? c744240c28000000 8d8538ffffff 89442408 }
            // n = 7, score = 100
            //   c7442404????????     |                     
            //   8d9d68ffffff         | lea                 ebx, [ebp - 0x98]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   c744240c28000000     | mov                 dword ptr [esp + 0xc], 0x28
            //   8d8538ffffff         | lea                 eax, [ebp - 0xc8]
            //   89442408             | mov                 dword ptr [esp + 8], eax

        $sequence_3 = { 8b4304 890424 e8???????? 83ec04 8b4308 890424 e8???????? }
            // n = 7, score = 100
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_4 = { 8d4001 83f801 762d 8b830c040000 f60001 }
            // n = 5, score = 100
            //   8d4001               | lea                 eax, [eax + 1]
            //   83f801               | cmp                 eax, 1
            //   762d                 | jbe                 0x2f
            //   8b830c040000         | mov                 eax, dword ptr [ebx + 0x40c]
            //   f60001               | test                byte ptr [eax], 1

        $sequence_5 = { c744240800040000 895c2404 8b4508 890424 e8???????? 83ec10 }
            // n = 6, score = 100
            //   c744240800040000     | mov                 dword ptr [esp + 8], 0x400
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec10               | sub                 esp, 0x10

        $sequence_6 = { e8???????? 83ec0c 83f8ff 7535 8d45e6 89442410 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc
            //   83f8ff               | cmp                 eax, -1
            //   7535                 | jne                 0x37
            //   8d45e6               | lea                 eax, [ebp - 0x1a]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_7 = { 8db406452d0000 8d45d8 890424 e8???????? 83ec04 0fb745e6 01c6 }
            // n = 7, score = 100
            //   8db406452d0000       | lea                 esi, [esi + eax + 0x2d45]
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   0fb745e6             | movzx               eax, word ptr [ebp - 0x1a]
            //   01c6                 | add                 esi, eax

        $sequence_8 = { 89e5 57 56 53 83ec5c 8b7d08 a1???????? }
            // n = 7, score = 100
            //   89e5                 | mov                 ebp, esp
            //   57                   | push                edi
            //   56                   | push                esi
            //   53                   | push                ebx
            //   83ec5c               | sub                 esp, 0x5c
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   a1????????           |                     

        $sequence_9 = { e8???????? 85c0 7417 c744240802000000 8b4518 89442404 893424 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7417                 | je                  0x19
            //   c744240802000000     | mov                 dword ptr [esp + 8], 2
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   893424               | mov                 dword ptr [esp], esi

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules