SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20211008 | Detects win.mydoom.)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.mydoom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9d38ffffff 891c24 e8???????? 895c2408 c744240496000000 8d8558ffffff 890424 }
            // n = 7, score = 100
            //   8d9d38ffffff         | lea                 ebx, dword ptr [ebp - 0xc8]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   c744240496000000     | mov                 dword ptr [esp + 4], 0x96
            //   8d8558ffffff         | lea                 eax, dword ptr [ebp - 0xa8]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_1 = { 09d0 ba00000000 a801 756b 0fbec3 89442408 89742404 }
            // n = 7, score = 100
            //   09d0                 | or                  eax, edx
            //   ba00000000           | mov                 edx, 0
            //   a801                 | test                al, 1
            //   756b                 | jne                 0x6d
            //   0fbec3               | movsx               eax, bl
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   89742404             | mov                 dword ptr [esp + 4], esi

        $sequence_2 = { 81ecf0010000 c7442404???????? 8d9d98feffff 891c24 e8???????? 895c2408 }
            // n = 6, score = 100
            //   81ecf0010000         | sub                 esp, 0x1f0
            //   c7442404????????     |                     
            //   8d9d98feffff         | lea                 ebx, dword ptr [ebp - 0x168]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   895c2408             | mov                 dword ptr [esp + 8], ebx

        $sequence_3 = { 890424 e8???????? 83ec08 8b856cf9ffff 890424 }
            // n = 5, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   8b856cf9ffff         | mov                 eax, dword ptr [ebp - 0x694]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_4 = { 55 89e5 53 83ec5c 0fb64508 8845b7 a1???????? }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   83ec5c               | sub                 esp, 0x5c
            //   0fb64508             | movzx               eax, byte ptr [ebp + 8]
            //   8845b7               | mov                 byte ptr [ebp - 0x49], al
            //   a1????????           |                     

        $sequence_5 = { e8???????? 890424 e8???????? e8???????? 8db40681370000 0fb745e6 2d21030000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8db40681370000       | lea                 esi, dword ptr [esi + eax + 0x3781]
            //   0fb745e6             | movzx               eax, word ptr [ebp - 0x1a]
            //   2d21030000           | sub                 eax, 0x321

        $sequence_6 = { 5d c3 55 89e5 83ec08 c7442404???????? 8b4508 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   c7442404????????     |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_7 = { 0fbe4303 83f803 7459 83f803 }
            // n = 4, score = 100
            //   0fbe4303             | movsx               eax, byte ptr [ebx + 3]
            //   83f803               | cmp                 eax, 3
            //   7459                 | je                  0x5b
            //   83f803               | cmp                 eax, 3

        $sequence_8 = { ffd0 8b15???????? 83eb04 39d3 73eb 8d742600 }
            // n = 6, score = 100
            //   ffd0                 | call                eax
            //   8b15????????         |                     
            //   83eb04               | sub                 ebx, 4
            //   39d3                 | cmp                 ebx, edx
            //   73eb                 | jae                 0xffffffed
            //   8d742600             | lea                 esi, dword ptr [esi]

        $sequence_9 = { 49 c744241000000000 8d85c4fdffff 8944240c 894c2408 89742404 891c24 }
            // n = 7, score = 100
            //   49                   | dec                 ecx
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   8d85c4fdffff         | lea                 eax, dword ptr [ebp - 0x23c]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   891c24               | mov                 dword ptr [esp], ebx

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules