2018-12-19 - MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING
ASSOCIATED FILES:
- Malspam examples: 2018-12-17-thru-2018-12-20-MyDoom-malspam-5-email-examples.zip 108 kB (108,254 bytes)
- 2018-12-17-malspam-0334-UTC.eml (32,517 bytes)
- 2018-12-17-malspam-2019-UTC.eml (30,838 bytes)
- 2018-12-18-malspam-1922-UTC.eml (31,456 bytes)
- 2018-12-19-malspam-1454-UTC.eml (31,030 bytes)
- 2018-12-20-malspam-0405-UTC.eml (31,444 bytes)
- Pcap of the infection traffic: 2018-12-19-MyDoom-infection-traffic.pcap.zip 205 kB (204,725 bytes)
- 2018-12-19-MyDoom-infection-traffic.pcap (362,046 bytes)
- Associated malware: 2018-12-17-thru-2018-12-19-MyDoom-zip-attachments-and-extracted-EXE-files.zip 213 kB (212,812 bytes)
- 17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85.exe (22,020 bytes)
- 2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430.exe (22,020 bytes)
- 3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849.zip (22,140 bytes)
- 442c89956a623c10ea5e525dc85d8f8827c973569640ca266cab0a0f6aba0070.zip (23,060 bytes)
- 57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8.zip (22,376 bytes)
- 78acb6f8d713e20f17f4bf6ca20e919845dfa1d8252487aa37958062b4fd146e.zip (21,966 bytes)
- 868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826.exe (22,752 bytes)
- ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad.exe (22,020 bytes)
- e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6.zip (22,140 bytes)
- ee004696baa06ae797449ac5dff683ddd3373d9fe38a2cf69c174fbd873673e8.exe (21,508 bytes)
NOTES:
- MyDoom worm was big in 2004, and it's been propagating around ever since. Some details can be found here.
- I still occasionally see these, and other people like @dvk01uk have also reported it's still active over that past year or two.
EMAILS
Shown above: Screenshot from one of the MyDoom emails.
EMAILS:
- Date range: 2018-12-17 03:34 UTC through 2018-12-20 04:05 UTC
- Received: from browsefox.com ([218.16.100.42])
- Received: from yhglobal.com ([113.91.55.46])
- Received: from adobee.com ([113.91.55.72])
- Received: from mozilla.org ([95.56.208.123])
- Received: from vanguardlogistics.com ([14.154.204.205])
- Subject: Returned mail: Data format error
- Subject: File Delivery failed
- Subject: File Returned mail: see transcript for details
- Subject: File RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS
- From: File james@browsefox.com
- From: File john@yhglobal.com
- From: File flash@adobee.com
- From: tochka@vyach-zaxaroff.narod.ru
- From: dong.xiao@vanguardlogistics.com
- Attachment name: .zip
- Attachment name: message.zip
- Attachment name: document.zip
TRAFFIC
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- Various IP addresses over TCP port 1042 - attempted connections (SYN packets only)
- Various mail servers over TCP port 25 - SMTP and attempted SMTP traffic
MALWARE
FROM 2017-12-17 03:34 EMAIL:
- SHA256 hash: 442c89956a623c10ea5e525dc85d8f8827c973569640ca266cab0a0f6aba0070
File size: 23,060 bytes
File name: .zip
File description: File attachment (zip archive) from malspam on 2018-12-17 03:34 UTC
- SHA256 hash: 868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826
File size: 22,752 bytes
File name: .txt [97 spaces in middle of file name] .pif
File description: Windows executable file - MyDoom worm (Modified date: Dec 2004)
FROM 2017-12-17 20:19 EMAIL:
- SHA256 hash: 3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849
File size: 22,140 bytes
File name: message.zip
File description: File attachment (zip archive) from malspam on 2018-12-17 20:19 UTC
- SHA256 hash: ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad
File size: 22,020 bytes
File name: message.bat
File description: Windows executable file - MyDoom worm (Modified date: Dec 2004)
FROM 2017-12-18 19:22 EMAIL:
- SHA256 hash: 57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8
File size: 22,376 bytes
File name: .zip
File description: File attachment (zip archive) from malspam on 2018-12-18 19:22 UTC
- SHA256 hash: 2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430
File size: 22,020 bytes
File name: .htm [121 spaces in middle of file name] .scr
File description: Windows executable file - MyDoom worm (Modified date: Dec 2004)
FROM 2017-12-19 14:54 EMAIL:
- SHA256 hash: e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6
File size: 22140 bytes
File name: message.zip
File description: File attachment (zip archive) from malspam on 2018-12-19 14:54 UTC
- SHA256 hash: 17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85
File size: 22,020 bytes
File name: message.exe
File description: Windows executable file - MyDoom worm (Modified date: Dec 2004)
FROM 2017-12-20 04:05 EMAIL:
- SHA256 hash: 78acb6f8d713e20f17f4bf6ca20e919845dfa1d8252487aa37958062b4fd146e
File size: 21,966 bytes
File name: document.zip
File description: File attachment (zip archive) from malspam on 2018-12-20 04:05 UTC
- SHA256 hash: ee004696baa06ae797449ac5dff683ddd3373d9fe38a2cf69c174fbd873673e8
File size: 21,508 bytes
File name: document.htm [164 spaces in middle of file name] .exe
File description: Windows executable file - MyDoom worm (Modified date: Dec 2004)
IMAGES
Shown above: Traffic from an infection filtered in Wireshark first show attempted TCP connections to various IP addresses over port 1042.
Shown above: Filtering on smtp and ip contains "MAIL FROM:" shows some of the spoofed sending addresses sent from my
infected Windows host.
Shown above: Filtering on smtp and ip contains "Subject:" will results that you can follow a TCP stream and
see a full malspam message sent from my infected Windows host.
Shown above: Following one of the TCP streams to view malspam sent from the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Malspam examples: 2018-12-17-thru-2018-12-20-MyDoom-malspam-5-email-examples.zip 108 kB (108,254 bytes)
- Pcap of the infection traffic: 2018-12-19-MyDoom-infection-traffic.pcap.zip 205 kB (204,725 bytes)
- Associated malware: 2018-12-17-thru-2018-12-19-MyDoom-zip-attachments-and-extracted-EXE-files.zip 213 kB (212,812 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.