SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mydoom (Back to overview)

MyDoom

aka: Novarg, Mimail

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-12-19Malware Traffic AnalysisBrad Duncan
@online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
MyDoom
2004-04-15SANS GIACMatt Goldencrown
@online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } MyDoom is Your Doom: An Analysis of the MyDoom Virus
MyDoom
2004-01-30Applied Watch TechnologiesEric S. Hines
@techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } MyDoom.B Worm Analysis
MyDoom
2004GIACSrinivas Ganti
@online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } MyDoom and its backdoor
MyDoom
Yara Rules
[TLP:WHITE] win_mydoom_auto (20230125 | Detects win.mydoom.)
rule win_mydoom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.mydoom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f94c0 09d0 a801 740a }
            // n = 4, score = 100
            //   0f94c0               | sete                al
            //   09d0                 | or                  eax, edx
            //   a801                 | test                al, 1
            //   740a                 | je                  0xc

        $sequence_1 = { 8d9da8feffff 891c24 e8???????? 895c2408 c744240496000000 8d9d48ffffff }
            // n = 6, score = 100
            //   8d9da8feffff         | lea                 ebx, [ebp - 0x158]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   c744240496000000     | mov                 dword ptr [esp + 4], 0x96
            //   8d9d48ffffff         | lea                 ebx, [ebp - 0xb8]

        $sequence_2 = { 01c0 29c6 0fb6442eb8 884707 e8???????? 89c6 }
            // n = 6, score = 100
            //   01c0                 | add                 eax, eax
            //   29c6                 | sub                 esi, eax
            //   0fb6442eb8           | movzx               eax, byte ptr [esi + ebp - 0x48]
            //   884707               | mov                 byte ptr [edi + 7], al
            //   e8????????           |                     
            //   89c6                 | mov                 esi, eax

        $sequence_3 = { e8???????? 83ec10 c744241800000000 c744241480000000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83ec10               | sub                 esp, 0x10
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   c744241480000000     | mov                 dword ptr [esp + 0x14], 0x80

        $sequence_4 = { 83ec24 ba00000000 85c0 7553 893424 e8???????? 83ec04 }
            // n = 7, score = 100
            //   83ec24               | sub                 esp, 0x24
            //   ba00000000           | mov                 edx, 0
            //   85c0                 | test                eax, eax
            //   7553                 | jne                 0x55
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4

        $sequence_5 = { 83ec20 8b5d08 8b7510 8d45f4 89442410 }
            // n = 5, score = 100
            //   83ec20               | sub                 esp, 0x20
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_6 = { 893424 e8???????? 893424 e8???????? 83ec04 80bc2807feffff5c }
            // n = 6, score = 100
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   80bc2807feffff5c     | cmp                 byte ptr [eax + ebp - 0x1f9], 0x5c

        $sequence_7 = { a801 756b 0fbec3 89442408 89742404 893c24 }
            // n = 6, score = 100
            //   a801                 | test                al, 1
            //   756b                 | jne                 0x6d
            //   0fbec3               | movsx               eax, bl
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   893c24               | mov                 dword ptr [esp], edi

        $sequence_8 = { 66837de631 770c e8???????? 8db40630240000 0fb745e6 83e833 663d9400 }
            // n = 7, score = 100
            //   66837de631           | cmp                 word ptr [ebp - 0x1a], 0x31
            //   770c                 | ja                  0xe
            //   e8????????           |                     
            //   8db40630240000       | lea                 esi, [esi + eax + 0x2430]
            //   0fb745e6             | movzx               eax, word ptr [ebp - 0x1a]
            //   83e833               | sub                 eax, 0x33
            //   663d9400             | cmp                 ax, 0x94

        $sequence_9 = { c1f81f 29c2 8d0452 8d0482 01c0 29c1 0fbe5429b8 }
            // n = 7, score = 100
            //   c1f81f               | sar                 eax, 0x1f
            //   29c2                 | sub                 edx, eax
            //   8d0452               | lea                 eax, [edx + edx*2]
            //   8d0482               | lea                 eax, [edx + eax*4]
            //   01c0                 | add                 eax, eax
            //   29c1                 | sub                 ecx, eax
            //   0fbe5429b8           | movsx               edx, byte ptr [ecx + ebp - 0x48]

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules