{
	"id": "c5007e37-b332-416e-ba4b-ed48452e28dc",
	"created_at": "2026-04-06T00:06:10.453168Z",
	"updated_at": "2026-04-10T03:21:38.45535Z",
	"deleted_at": null,
	"sha1_hash": "5b5ea08527984f035d046d4807002c3e7c7edad5",
	"title": "Malware-Traffic-Analysis.net - 2018-12-19 - Malspam pushing the MyDoom worm is still a thing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2975070,
	"plain_text": "Malware-Traffic-Analysis.net - 2018-12-19 - Malspam pushing the\r\nMyDoom worm is still a thing\r\nArchived: 2026-04-05 13:49:46 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\nMalspam examples:  2018-12-19-MyDoom-malspam-4-email-examples.zip   87.5 kB (87,475 bytes)\r\n2018-12-17-malspam-0334-UTC.eml   (32,517 bytes)\r\n2018-12-17-malspam-2019-UTC.eml   (30,838 bytes)\r\n2018-12-18-malspam-1922-UTC.eml   (31,456 bytes)\r\n2018-12-19-malspam-1454-UTC.eml   (31,030 bytes)\r\nPcap of the infection traffic:  2018-12-19-MyDoom-infection-traffic.pcap.zip   205 kB (204,725 bytes)\r\n2018-12-19-MyDoom-infection-traffic.pcap   (362,046 bytes)\r\nAssociated malware:  2018-12-19-MyDoom-zip-attachments-and-extracted-EXE-files.zip   171.3 kB\r\n(171,343 bytes)\r\n17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85.exe   (22,020 bytes)\r\n2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430.exe   (22,020 bytes)\r\n3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849.zip   (22,140 bytes)\r\n57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8.zip   (22,376 bytes)\r\n78acb6f8d713e20f17f4bf6ca20e919845dfa1d8252487aa37958062b4fd146e.zip   (21,966 bytes)\r\n868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826.exe   (22,752 bytes)\r\nab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad.exe   (22,020\r\nbytes)\r\ne3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6.zip   (22,140 bytes)\r\nNOTES:\r\nMyDoom worm was big in 2004, and it's been propagating around ever since.  Some details can be found\r\nhere.\r\nI still occasionally see these, and other people have also seen MyDoom activity over that past year or two.\r\nEMAILS\r\nhttps://www.malware-traffic-analysis.net/2018/12/19/index.html\r\nPage 1 of 6\n\nShown above:  Screenshot from one of the MyDoom emails.\r\nEMAILS:\r\nDate range:  2018-12-17 03:34 UTC through 2018-12-20 04:05 UTC\r\nReceived:  from browsefox[.]com ([218.16.100[.]42])\r\nReceived:  from yhglobal[.]com ([113.91.55[.]46])\r\nReceived:  from adobee[.]com ([113.91.55[.]72])\r\nReceived:  from mozilla[.]org ([95.56.208[.]123])\r\nSubject:  Returned mail: Data format error\r\nhttps://www.malware-traffic-analysis.net/2018/12/19/index.html\r\nPage 2 of 6\n\nSubject:  File Delivery failed\r\nSubject:  File Returned mail: see transcript for details\r\nFrom:  File james@browsefox[.]com\r\nFrom:  File john@yhglobal[.]com\r\nFrom:  File flash@adobee[.]com\r\nFrom:  tochka@vyach-zaxaroff.narod[.]ru\r\nAttachment name:  .zip\r\nAttachment name:  message.zip\r\nTRAFFIC\r\nTRAFFIC FROM AN INFECTED WINDOWS HOST:\r\nVarious IP addresses over TCP port 1042 - attempted connections (SYN packets only)\r\nVarious mail servers over TCP port 25 - SMTP and attempted SMTP traffic\r\nMALWARE\r\nFROM 2017-12-17 03:34 EMAIL:\r\nSHA256 hash:  442c89956a623c10ea5e525dc85d8f8827c973569640ca266cab0a0f6aba0070\r\nFile size:  23,060 bytes\r\nFile name:  .zip\r\nFile description:  File attachment (zip archive) from malspam on 2018-12-17 03:34 UTC\r\nSHA256 hash:  868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826\r\nFile size:  22,752 bytes\r\nFile name:  .txt [97 spaces in middle of file name] .pif\r\nFile description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)\r\nFROM 2017-12-17 20:19 EMAIL:\r\nSHA256 hash:  3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849\r\nFile size:  22,140 bytes\r\nFile name:  message.zip\r\nFile description:  File attachment (zip archive) from malspam on 2018-12-17 20:19 UTC\r\nSHA256 hash:  ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad\r\nFile size:  22,020 bytes\r\nFile name:  message.bat\r\nFile description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)\r\nFROM 2017-12-18 19:22 EMAIL:\r\nhttps://www.malware-traffic-analysis.net/2018/12/19/index.html\r\nPage 3 of 6\n\nSHA256 hash:  57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8\r\nFile size:  22,376 bytes\r\nFile name:  .zip\r\nFile description:  File attachment (zip archive) from malspam on 2018-12-18 19:22 UTC\r\nSHA256 hash:  2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430\r\nFile size:  22,020 bytes\r\nFile name:  .htm [121 spaces in middle of file name] .scr\r\nFile description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)\r\nFROM 2017-12-19 14:54 EMAIL:\r\nSHA256 hash:  e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6\r\nFile size:  22140 bytes\r\nFile name:  message.zip\r\nFile description:  File attachment (zip archive) from malspam on 2018-12-19 14:54 UTC\r\nSHA256 hash:  17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85\r\nFile size:  22,020 bytes\r\nFile name:  message.exe\r\nFile description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)\r\nIMAGES\r\nShown above:  Traffic from an infection filtered in Wireshark first show attempted TCP connections to various IP\r\naddresses over port 1042.\r\nhttps://www.malware-traffic-analysis.net/2018/12/19/index.html\r\nPage 4 of 6\n\nShown above:  Filtering on smtp and ip contains \"MAIL FROM:\" shows some of the spoofed sending addresses\r\nsent from my\r\ninfected Windows host.\r\nShown above:  Filtering on smtp and ip contains \"Subject:\" will results that you can follow a TCP stream and\r\nsee a full malspam message sent from my infected Windows host.\r\nhttps://www.malware-traffic-analysis.net/2018/12/19/index.html\r\nPage 5 of 6\n\nShown above:  Following one of the TCP streams to view malspam sent from the infected Windows host.\r\nClick here to return to the main page.\r\nSource: https://www.malware-traffic-analysis.net/2018/12/19/index.html\r\nhttps://www.malware-traffic-analysis.net/2018/12/19/index.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malware-traffic-analysis.net/2018/12/19/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433970,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b5ea08527984f035d046d4807002c3e7c7edad5.pdf",
		"text": "https://archive.orkl.eu/5b5ea08527984f035d046d4807002c3e7c7edad5.txt",
		"img": "https://archive.orkl.eu/5b5ea08527984f035d046d4807002c3e7c7edad5.jpg"
	}
}