1/9

2018-12-19 - MALSPAM PUSHING THE MYDOOM WORM
IS STILL A THING

malware-traffic-analysis.net/2018/12/19/index.html

ASSOCIATED FILES:

Malspam examples:  2018-12-17-thru-2018-12-20-MyDoom-malspam-5-email-
examples.zip   108 kB (108,254 bytes)

2018-12-17-malspam-0334-UTC.eml   (32,517 bytes)
2018-12-17-malspam-2019-UTC.eml   (30,838 bytes)
2018-12-18-malspam-1922-UTC.eml   (31,456 bytes)
2018-12-19-malspam-1454-UTC.eml   (31,030 bytes)
2018-12-20-malspam-0405-UTC.eml   (31,444 bytes)

Pcap of the infection traffic:  2018-12-19-MyDoom-infection-traffic.pcap.zip   205 kB
(204,725 bytes)

2018-12-19-MyDoom-infection-traffic.pcap   (362,046 bytes)

Associated malware:  2018-12-17-thru-2018-12-19-MyDoom-zip-attachments-and-
extracted-EXE-files.zip   213 kB (212,812 bytes)

https://www.malware-traffic-analysis.net/2018/12/19/index.html
https://www.malware-traffic-analysis.net/2018/12/19/2018-12-17-thru-2018-12-20-MyDoom-malspam-5-email-examples.zip
https://www.malware-traffic-analysis.net/2018/12/19/2018-12-19-MyDoom-infection-traffic.pcap.zip
https://www.malware-traffic-analysis.net/2018/12/19/2018-12-17-thru-2018-12-19-MyDoom-zip-attachments-and-extracted-EXE-files.zip


2/9

17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85.exe
  (22,020 bytes)
2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430.exe
  (22,020 bytes)
3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849.zip
  (22,140 bytes)
442c89956a623c10ea5e525dc85d8f8827c973569640ca266cab0a0f6aba0070.zip
  (23,060 bytes)
57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8.zip
  (22,376 bytes)
78acb6f8d713e20f17f4bf6ca20e919845dfa1d8252487aa37958062b4fd146e.zip  
(21,966 bytes)
868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826.exe  
(22,752 bytes)
ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad.exe
  (22,020 bytes)
e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6.zip  
(22,140 bytes)
ee004696baa06ae797449ac5dff683ddd3373d9fe38a2cf69c174fbd873673e8.exe
  (21,508 bytes)

NOTES:

MyDoom worm was big in 2004, and it's been propagating around ever since.  Some
details can be found here.
I still occasionally see these, and other people like @dvk01uk have also reported it's
still active over that past year or two.

EMAILS

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FMydoom
https://twitter.com/dvk01uk
https://twitter.com/search?f=tweets&vertical=default&q=%23mydoom%20%40dvk01uk&src=typd


3/9

 

Shown above:  Screenshot from one of the MyDoom emails.

EMAILS:

Date range:  2018-12-17 03:34 UTC through 2018-12-20 04:05 UTC

Received:  from browsefox.com ([218.16.100.42])
Received:  from yhglobal.com ([113.91.55.46])
Received:  from adobee.com ([113.91.55.72])
Received:  from mozilla.org ([95.56.208.123])



4/9

Received:  from vanguardlogistics.com ([14.154.204.205])

Subject:  Returned mail: Data format error
Subject:  File Delivery failed
Subject:  File Returned mail: see transcript for details
Subject:  File RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS

From:  File james@browsefox.com
From:  File john@yhglobal.com
From:  File flash@adobee.com
From:  tochka@vyach-zaxaroff.narod.ru
From:  dong.xiao@vanguardlogistics.com

Attachment name:  .zip
Attachment name:  message.zip
Attachment name:  document.zip

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

Various IP addresses over TCP port 1042 - attempted connections (SYN packets only)
Various mail servers over TCP port 25 - SMTP and attempted SMTP traffic

MALWARE

FROM 2017-12-17 03:34 EMAIL:

SHA256 hash: 
442c89956a623c10ea5e525dc85d8f8827c973569640ca266cab0a0f6aba0070
File size:  23,060 bytes
File name:  .zip
File description:  File attachment (zip archive) from malspam on 2018-12-17 03:34 UTC

SHA256 hash: 
868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826
File size:  22,752 bytes
File name:  .txt [97 spaces in middle of file name] .pif
File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)

FROM 2017-12-17 20:19 EMAIL:



5/9

SHA256 hash: 
3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849
File size:  22,140 bytes
File name:  message.zip
File description:  File attachment (zip archive) from malspam on 2018-12-17 20:19 UTC

SHA256 hash: 
ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad
File size:  22,020 bytes
File name:  message.bat
File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)

FROM 2017-12-18 19:22 EMAIL:

SHA256 hash: 
57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8
File size:  22,376 bytes
File name:  .zip
File description:  File attachment (zip archive) from malspam on 2018-12-18 19:22 UTC

SHA256 hash: 
2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430
File size:  22,020 bytes
File name:  .htm [121 spaces in middle of file name] .scr
File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)

FROM 2017-12-19 14:54 EMAIL:

SHA256 hash: 
e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6
File size:  22140 bytes
File name:  message.zip
File description:  File attachment (zip archive) from malspam on 2018-12-19 14:54 UTC

SHA256 hash: 
17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85
File size:  22,020 bytes
File name:  message.exe
File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)

FROM 2017-12-20 04:05 EMAIL:



6/9

SHA256 hash: 
78acb6f8d713e20f17f4bf6ca20e919845dfa1d8252487aa37958062b4fd146e
File size:  21,966 bytes
File name:  document.zip
File description:  File attachment (zip archive) from malspam on 2018-12-20 04:05 UTC

SHA256 hash: 
ee004696baa06ae797449ac5dff683ddd3373d9fe38a2cf69c174fbd873673e8
File size:  21,508 bytes
File name:  document.htm [164 spaces in middle of file name] .exe
File description:  Windows executable file - MyDoom worm (Modified date: Dec 2004)

IMAGES

 

Shown above:  Traffic from an infection filtered in Wireshark first show attempted TCP
connections to various IP addresses over port 1042.



7/9

 

Shown above:  Filtering on smtp and ip contains "MAIL FROM:" shows some of the
spoofed sending addresses sent from my

 infected Windows host.

 

Shown above:  Filtering on smtp and ip contains "Subject:" will results that you can follow
a TCP stream and

 see a full malspam message sent from my infected Windows host.



8/9

 

Shown above:  Following one of the TCP streams to view malspam sent from the infected
Windows host.

FINAL NOTES

Once again, here are the associated files:



9/9

Malspam examples:  2018-12-17-thru-2018-12-20-MyDoom-malspam-5-email-
examples.zip   108 kB (108,254 bytes)
Pcap of the infection traffic:  2018-12-19-MyDoom-infection-traffic.pcap.zip   205 kB
(204,725 bytes)
Associated malware:  2018-12-17-thru-2018-12-19-MyDoom-zip-attachments-and-
extracted-EXE-files.zip   213 kB (212,812 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look
at the "about" page of this website.

Click here to return to the main page.

https://www.malware-traffic-analysis.net/2018/12/19/2018-12-17-thru-2018-12-20-MyDoom-malspam-5-email-examples.zip
https://www.malware-traffic-analysis.net/2018/12/19/2018-12-19-MyDoom-infection-traffic.pcap.zip
https://www.malware-traffic-analysis.net/2018/12/19/2018-12-17-thru-2018-12-19-MyDoom-zip-attachments-and-extracted-EXE-files.zip
https://www.malware-traffic-analysis.net/index.html