SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20220411 | Detects win.mydoom.)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.mydoom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? ba00000000 85c0 740e }
            // n = 4, score = 100
            //   e8????????           |                     
            //   ba00000000           | mov                 edx, 0
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10

        $sequence_1 = { 74e2 89442404 c70424???????? e8???????? }
            // n = 4, score = 100
            //   74e2                 | je                  0xffffffe4
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_2 = { 0f85cc010000 893424 e8???????? ba00000000 e9???????? }
            // n = 5, score = 100
            //   0f85cc010000         | jne                 0x1d2
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   ba00000000           | mov                 edx, 0
            //   e9????????           |                     

        $sequence_3 = { 89d8 f3ab 8dbd08ffffff b90a000000 f3ab c7442404???????? }
            // n = 6, score = 100
            //   89d8                 | mov                 eax, ebx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8dbd08ffffff         | lea                 edi, dword ptr [ebp - 0xf8]
            //   b90a000000           | mov                 ecx, 0xa
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   c7442404????????     |                     

        $sequence_4 = { 56 53 81ecc0000000 8b7508 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   53                   | push                ebx
            //   81ecc0000000         | sub                 esp, 0xc0
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_5 = { 890424 e8???????? c9 83f801 }
            // n = 4, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c9                   | leave               
            //   83f801               | cmp                 eax, 1

        $sequence_6 = { 85c0 0f84cc000000 897c2410 8d85e0feffff 8944240c 89742408 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f84cc000000         | je                  0xd2
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   8d85e0feffff         | lea                 eax, dword ptr [ebp - 0x120]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   89742408             | mov                 dword ptr [esp + 8], esi

        $sequence_7 = { c744240496000000 8d8548ffffff 890424 e8???????? }
            // n = 4, score = 100
            //   c744240496000000     | mov                 dword ptr [esp + 4], 0x96
            //   8d8548ffffff         | lea                 eax, dword ptr [ebp - 0xb8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_8 = { 83ec08 ba00000000 85c0 0f85a1010000 c744240800000000 c744240401000000 c7042402000000 }
            // n = 7, score = 100
            //   83ec08               | sub                 esp, 8
            //   ba00000000           | mov                 edx, 0
            //   85c0                 | test                eax, eax
            //   0f85a1010000         | jne                 0x1a7
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   c7042402000000       | mov                 dword ptr [esp], 2

        $sequence_9 = { c1f81f 29c2 8d0452 8d0482 01c0 29c1 0fbe5429b8 }
            // n = 7, score = 100
            //   c1f81f               | sar                 eax, 0x1f
            //   29c2                 | sub                 edx, eax
            //   8d0452               | lea                 eax, dword ptr [edx + edx*2]
            //   8d0482               | lea                 eax, dword ptr [edx + eax*4]
            //   01c0                 | add                 eax, eax
            //   29c1                 | sub                 ecx, eax
            //   0fbe5429b8           | movsx               edx, byte ptr [ecx + ebp - 0x48]

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules