Skip navigation.
Home

win_mydoom_a

sha1: f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5 win_mydoom_a.exe
md5sum: 53df39092394741514bc050f3d6a06a9 win_mydoom_a.exe
info: 22528 Oct 20 10:58 win_mydoom_a.exe
Threat: W32.Mydoom.A@mm
File: C:\malware\win_mydoom_a.exe
Date found: Monday, December 05, 2005 10:02:44 PM
Scanning -> C:\malware\win_mydoom_a.exe
File Type : Exe, Size : 22528 (05800h) Bytes
[!] UPX v1.24 compressed !
- Scan Took : 0.953 Seconds

unpacked mdsum: 41e28ad24d9c075b01ebba52ff28ff27 unpacked_win_mydoom_a.exe
upacked info: 53248 Dec 5 22:40 unpacked_win_mydoom_a.exe

entry point: 00004051

NOTES:
This binary was packed with UPX. There are both packed and unpacked versions attached.

The strings in the binary have been encoded with ROT 13. These have been decoded and attached.

Bleeding Snort Sig for mydoom.a

Taken from the current Bleeding Snort rules
http://www.bleedingsnort.com/
Copyright (c) 2005, Bleedingsnort.com
All rights reserved.


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; flow: established; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; within: 20; distance: 2; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; within: 40; distance: 16; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; within: 30; distance: 16; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; sid: 2001273; rev:11; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; flow: to_server,established; content:"GET HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset: 0; depth: 35; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; sid: 2001278; rev:8; )

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior