SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20230715 | Detects win.mydoom.)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.mydoom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89442404 891c24 e8???????? 85c0 0f849f000000 }
            // n = 5, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f849f000000         | je                  0xa5

        $sequence_1 = { 0fb65301 8b4510 8810 0fbe4303 83f803 7459 83f803 }
            // n = 7, score = 100
            //   0fb65301             | movzx               edx, byte ptr [ebx + 1]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8810                 | mov                 byte ptr [eax], dl
            //   0fbe4303             | movsx               eax, byte ptr [ebx + 3]
            //   83f803               | cmp                 eax, 3
            //   7459                 | je                  0x5b
            //   83f803               | cmp                 eax, 3

        $sequence_2 = { 83f8ff 7430 895c2408 8d85f8feffff 89442404 }
            // n = 5, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   7430                 | je                  0x32
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   89442404             | mov                 dword ptr [esp + 4], eax

        $sequence_3 = { 0fb65e01 803e01 0f95c0 84db 0f94c2 09d0 }
            // n = 6, score = 100
            //   0fb65e01             | movzx               ebx, byte ptr [esi + 1]
            //   803e01               | cmp                 byte ptr [esi], 1
            //   0f95c0               | setne               al
            //   84db                 | test                bl, bl
            //   0f94c2               | sete                dl
            //   09d0                 | or                  eax, edx

        $sequence_4 = { c744240810000000 8d45c8 89442404 891c24 e8???????? 83ec0c 83f8ff }
            // n = 7, score = 100
            //   c744240810000000     | mov                 dword ptr [esp + 8], 0x10
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc
            //   83f8ff               | cmp                 eax, -1

        $sequence_5 = { 890424 e8???????? c9 83f801 }
            // n = 4, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c9                   | leave               
            //   83f801               | cmp                 eax, 1

        $sequence_6 = { 81ec38010000 895df4 8975f8 897dfc 8b7d08 }
            // n = 5, score = 100
            //   81ec38010000         | sub                 esp, 0x138
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]

        $sequence_7 = { c744240402000000 8d8548ffffff 890424 e8???????? 83ec08 }
            // n = 5, score = 100
            //   c744240402000000     | mov                 dword ptr [esp + 4], 2
            //   8d8548ffffff         | lea                 eax, [ebp - 0xb8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8

        $sequence_8 = { 890424 e8???????? e8???????? 8db406fc2f0000 0fb745e6 }
            // n = 5, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8db406fc2f0000       | lea                 esi, [esi + eax + 0x2ffc]
            //   0fb745e6             | movzx               eax, word ptr [ebp - 0x1a]

        $sequence_9 = { 0fbe45b7 89442404 8d5db8 891c24 e8???????? }
            // n = 5, score = 100
            //   0fbe45b7             | movsx               eax, byte ptr [ebp - 0x49]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d5db8               | lea                 ebx, [ebp - 0x48]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules