SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89442404 891c24 e8???????? 85c0 0f849f000000 }
            // n = 5, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f849f000000         | je                  0xa5

        $sequence_1 = { 89442408 c7442404???????? 891c24 e8???????? ba00000000 85c0 }
            // n = 6, score = 100
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   c7442404????????     |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   ba00000000           | mov                 edx, 0
            //   85c0                 | test                eax, eax

        $sequence_2 = { 893424 e8???????? ba00000000 e9???????? 8b420c 8b00 8b00 }
            // n = 7, score = 100
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   ba00000000           | mov                 edx, 0
            //   e9????????           |                     
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_3 = { 83ec18 c744241400000000 c744241000000000 8b450c 8944240c 8b4508 89442408 }
            // n = 7, score = 100
            //   83ec18               | sub                 esp, 0x18
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   89442408             | mov                 dword ptr [esp + 8], eax

        $sequence_4 = { c744240400000000 c7042400000000 e8???????? 83ec18 8d45fc 89442414 c744241000000000 }
            // n = 7, score = 100
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   e8????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0

        $sequence_5 = { 55 89e5 83ec08 e8???????? e8???????? e8???????? b800000000 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   b800000000           | mov                 eax, 0

        $sequence_6 = { 83ec58 895df4 8975f8 897dfc 8b7510 0fb74514 668945e6 }
            // n = 7, score = 100
            //   83ec58               | sub                 esp, 0x58
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   0fb74514             | movzx               eax, word ptr [ebp + 0x14]
            //   668945e6             | mov                 word ptr [ebp - 0x1a], ax

        $sequence_7 = { 8845d2 8d45d8 890424 e8???????? 83ec04 e8???????? }
            // n = 6, score = 100
            //   8845d2               | mov                 byte ptr [ebp - 0x2e], al
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   e8????????           |                     

        $sequence_8 = { 895df4 8975f8 897dfc 8b7d08 8b750c c645f3ff c744240802000000 }
            // n = 7, score = 100
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   c645f3ff             | mov                 byte ptr [ebp - 0xd], 0xff
            //   c744240802000000     | mov                 dword ptr [esp + 8], 2

        $sequence_9 = { 89c6 83f8ff 0f8472010000 8dbdf8feffff fc bb00000000 b904000000 }
            // n = 7, score = 100
            //   89c6                 | mov                 esi, eax
            //   83f8ff               | cmp                 eax, -1
            //   0f8472010000         | je                  0x178
            //   8dbdf8feffff         | lea                 edi, [ebp - 0x108]
            //   fc                   | cld                 
            //   bb00000000           | mov                 ebx, 0
            //   b904000000           | mov                 ecx, 4

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules