2018-12-19 - MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING

ASSOCIATED FILES:

  • 2018-12-17-malspam-0334-UTC.eml   (32,517 bytes)
  • 2018-12-17-malspam-2019-UTC.eml   (30,838 bytes)
  • 2018-12-18-malspam-1922-UTC.eml   (31,456 bytes)
  • 2018-12-19-malspam-1454-UTC.eml   (31,030 bytes)
  • 2018-12-20-malspam-0405-UTC.eml   (31,444 bytes)
  • 2018-12-19-MyDoom-infection-traffic.pcap   (362,046 bytes)
  • 17c7b0ccdf73b05a070443659715c9ae136aeda89f931e05cc80a8a05fbfea85.exe   (22,020 bytes)
  • 2ccf2b595b2c85fc17dafdf7ec3e0133b897ca2eb84da62189af023c2dc8a430.exe   (22,020 bytes)
  • 3335c2a089421bd1c19cff225d04f0c3d1f9192a41cd257ad93e608199b4d849.zip   (22,140 bytes)
  • 442c89956a623c10ea5e525dc85d8f8827c973569640ca266cab0a0f6aba0070.zip   (23,060 bytes)
  • 57b58feb49bd6de828371fc52c0e300a37cc7365720e1f961265f47fa5abeea8.zip   (22,376 bytes)
  • 78acb6f8d713e20f17f4bf6ca20e919845dfa1d8252487aa37958062b4fd146e.zip   (21,966 bytes)
  • 868289da1cf8aba7c2e9c38028accdfd989ef59cde9fc733543dff9fc4ce5826.exe   (22,752 bytes)
  • ab870f7f11ab105d92f2a29e8581992ae506bbc9e19e9c71e873b0c54639d8ad.exe   (22,020 bytes)
  • e3e809cd45c807ac832535a338003248739fa09ff9bcfa12a0acb7b1217e80f6.zip   (22,140 bytes)
  • ee004696baa06ae797449ac5dff683ddd3373d9fe38a2cf69c174fbd873673e8.exe   (21,508 bytes)

NOTES:

 

EMAILS


Shown above:  Screenshot from one of the MyDoom emails.

 

EMAILS:

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

MALWARE

FROM 2017-12-17 03:34 EMAIL:

FROM 2017-12-17 20:19 EMAIL:

FROM 2017-12-18 19:22 EMAIL:

FROM 2017-12-19 14:54 EMAIL:

FROM 2017-12-20 04:05 EMAIL:

 

IMAGES


Shown above:  Traffic from an infection filtered in Wireshark first show attempted TCP connections to various IP addresses over port 1042.

 


Shown above:  Filtering on smtp and ip contains "MAIL FROM:" shows some of the spoofed sending addresses sent from my
infected Windows host.

 


Shown above:  Filtering on smtp and ip contains "Subject:" will results that you can follow a TCP stream and
see a full malspam message sent from my infected Windows host.

 


Shown above:  Following one of the TCP streams to view malspam sent from the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.