Malware-Traffic-Analysis.net - 2018-12-19 - Malspam pushing the MyDoom worm is still a thing Archived: 2026-04-05 13:49:46 UTC NOTICE: The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website. ASSOCIATED FILES: Malspam examples:  2018-12-19-MyDoom-malspam-4-email-examples.zip   87.5 kB (87,475 bytes) 2018-12-17-malspam-0334-UTC.eml   (32,517 bytes) 2018-12-17-malspam-2019-UTC.eml   (30,838 bytes) 2018-12-18-malspam-1922-UTC.eml   (31,456 bytes) 2018-12-19-malspam-1454-UTC.eml   (31,030 bytes) Pcap of the infection traffic:  2018-12-19-MyDoom-infection-traffic.pcap.zip   205 kB (204,725 bytes) 2018-12-19-MyDoom-infection-traffic.pcap   (362,046 bytes) Associated malware:  2018-12-19-MyDoom-zip-attachments-and-extracted-EXE-files.zip   171.3 kB (171,343 bytes) 17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85.exe   (22,020 bytes) 2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430.exe   (22,020 bytes) 3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849.zip   (22,140 bytes) 57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8.zip   (22,376 bytes) 78acb6f8d713e20f17f4bf6ca20e919845dfa1d8252487aa37958062b4fd146e.zip   (21,966 bytes) 868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826.exe   (22,752 bytes) ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad.exe   (22,020 bytes) e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6.zip   (22,140 bytes) NOTES: MyDoom worm was big in 2004, and it's been propagating around ever since.  Some details can be found here. I still occasionally see these, and other people have also seen MyDoom activity over that past year or two. EMAILS https://www.malware-traffic-analysis.net/2018/12/19/index.html Page 1 of 6 Shown above:  Screenshot from one of the MyDoom emails. EMAILS: Date range:  2018-12-17 03:34 UTC through 2018-12-20 04:05 UTC Received:  from browsefox[.]com ([218.16.100[.]42]) Received:  from yhglobal[.]com ([113.91.55[.]46]) Received:  from adobee[.]com ([113.91.55[.]72]) Received:  from mozilla[.]org ([95.56.208[.]123]) Subject:  Returned mail: Data format error https://www.malware-traffic-analysis.net/2018/12/19/index.html Page 2 of 6 Subject:  File Delivery failed Subject:  File Returned mail: see transcript for details From:  File james@browsefox[.]com From:  File john@yhglobal[.]com From:  File flash@adobee[.]com From:  tochka@vyach-zaxaroff.narod[.]ru Attachment name:  .zip Attachment name:  message.zip TRAFFIC TRAFFIC FROM AN INFECTED WINDOWS HOST: Various IP addresses over TCP port 1042 - attempted connections (SYN packets only) Various mail servers over TCP port 25 - SMTP and attempted SMTP traffic MALWARE FROM 2017-12-17 03:34 EMAIL: SHA256 hash:  442c89956a623c10ea5e525dc85d8f8827c973569640ca266cab0a0f6aba0070 File size:  23,060 bytes File name:  .zip File description:  File attachment (zip archive) from malspam on 2018-12-17 03:34 UTC SHA256 hash:  868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826 File size:  22,752 bytes File name:  .txt [97 spaces in middle of file name] .pif File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004) FROM 2017-12-17 20:19 EMAIL: SHA256 hash:  3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849 File size:  22,140 bytes File name:  message.zip File description:  File attachment (zip archive) from malspam on 2018-12-17 20:19 UTC SHA256 hash:  ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad File size:  22,020 bytes File name:  message.bat File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004) FROM 2017-12-18 19:22 EMAIL: https://www.malware-traffic-analysis.net/2018/12/19/index.html Page 3 of 6 SHA256 hash:  57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8 File size:  22,376 bytes File name:  .zip File description:  File attachment (zip archive) from malspam on 2018-12-18 19:22 UTC SHA256 hash:  2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430 File size:  22,020 bytes File name:  .htm [121 spaces in middle of file name] .scr File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004) FROM 2017-12-19 14:54 EMAIL: SHA256 hash:  e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6 File size:  22140 bytes File name:  message.zip File description:  File attachment (zip archive) from malspam on 2018-12-19 14:54 UTC SHA256 hash:  17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85 File size:  22,020 bytes File name:  message.exe File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004) IMAGES Shown above:  Traffic from an infection filtered in Wireshark first show attempted TCP connections to various IP addresses over port 1042. https://www.malware-traffic-analysis.net/2018/12/19/index.html Page 4 of 6 Shown above:  Filtering on smtp and ip contains "MAIL FROM:" shows some of the spoofed sending addresses sent from my infected Windows host. Shown above:  Filtering on smtp and ip contains "Subject:" will results that you can follow a TCP stream and see a full malspam message sent from my infected Windows host. https://www.malware-traffic-analysis.net/2018/12/19/index.html Page 5 of 6 Shown above:  Following one of the TCP streams to view malspam sent from the infected Windows host. Click here to return to the main page. Source: https://www.malware-traffic-analysis.net/2018/12/19/index.html https://www.malware-traffic-analysis.net/2018/12/19/index.html Page 6 of 6