Technology Computer & Networking security

Doomjuice puts squeeze on Microsoft

The LURHQ Threat Intelligence Group has uncovered an Internet worm exploiting MyDoom.A victims. Dubbed Doomjuice or MyDoom.C depending on the vendor, this new worm spreads to systems already infected with MyDoom.A, leveraging the backdoor left in place by that worm. Doomjuice doesn't spread via email or KaZaA as did MyDoom.A. Instead, the worm spreads via port 3127 only.

Mikko Hypponen, Director of Anti-Virus Research at F-Secure reports that Doomjuice drops the original source code of the Mydoom.A worm in an archive to several folders of infected computers.


"This proves to us that Doomjuice and Mydoom.A are written by the same people", Mikko commented. "The source code of Mydoom.A has not been seen circulating in the underground before."

He also believes the motivation to distribute the source code seems simple. "The authors know the police [are] looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive - without knowing it," continued Hypponen.

According to Joe Stewart, Senior Security Researcher for LURHQ, Doomjuice starts 64 threads, each choosing a random class C network and attempting to connect to each host. If successful, the worm uploads a copy of itself to them. Once a thread reaches host .254 it picks a new random class C and repeats the process.

Whereas MyDoom.A launched a Denial of Service (DoS) attack against www.sco.com, Doomjuice attempts a DoS attack only against Microsoft.

Additionally, the date/time correlation error that caused MyDoom.A's DoS to fail a certain percentage of the time has been corrected by the author of Doomjuice.

If Doomjuice is launched between February 8th through February 12th, it first sleeps for a random period of time. The worm then spawns 80 threads, all of which send HTTP GET requests to www.microsoft.com. If started on February 12 or later, the Doomjuice DoS is launched immediately. Also unlike MyDoom.A, the Doomjuice has no shutoff date. The DoS and the spread of the worm can continue indefinitely. Conversely, MyDoom.A was programmed to stop both its spread and its DoS after February 12th.

According to research performed by the LURHQ Threat Intelligence Group, Doomjuice does the following:
  1. Creates a mutex named sync-Z-mtx_133 to ensure only one copy of the worm is running in memory.
  2. Copies itself to the Windows\System directory as intrenat.exe.
  3. Modifies the registry to load on startup as follows:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Gremlin" = C:\Windows\System\intrenat.exe

    (where C:\Windows\System is the location of the users' Windows System directory. This can vary by OS and user preference)

Manual removal
To remove Doomjuice:
  1. Use Windows Task Manager to kill the running intrenat.exe process
  2. Remove the registry edit made by the worm
  3. Reboot the system

Note: Doomjuice infects only those systems already infected by MyDoom.A. It does not remove nor impact the existing MyDoom.A infection. For further details, see the MyDoom.A description.
SHARE
RELATED POSTS on "Technology"
Home Security Systems: Which One Should I Get For My Family
Home Security Systems: Which One Should I Get For My Family
How to Protect Yourself From Fake Antivirus Programs and Other Scamware/Scareware
How to Protect Yourself From Fake Antivirus Programs and Other Scamware/Scareware
Another Facebook Spam E-mail Again?
Another Facebook Spam E-mail Again?
Using Free Anti Adware and Spyware - Tips To Keep Your PC Safe
Using Free Anti Adware and Spyware - Tips To Keep Your PC Safe
Is Online Data Backup Part of Your Disaster Recovery Plan?
Is Online Data Backup Part of Your Disaster Recovery Plan?
How To Recover Deleted Emails From Outlook?
How To Recover Deleted Emails From Outlook?
AVGRsstx DLL Error Fix
AVGRsstx DLL Error Fix
Virtualized datacenter: Greatly in demand!
Virtualized datacenter: Greatly in demand!
Cybercrime In the Workplace
Cybercrime In the Workplace
Automatic Manual Virus and Spyware Removal
Automatic Manual Virus and Spyware Removal
Data Recovery Is Easy In Notebook Repairs
Data Recovery Is Easy In Notebook Repairs
What Is Windows Defence Unit - How to Fix Windows Defence Unit Automatically
What Is Windows Defence Unit - How to Fix Windows Defence Unit Automatically
What Are Students Spending Most Time On?
What Are Students Spending Most Time On?
Deleted Mp3 Recovery - How to Restore Deleted Mp3 Files Easily
Deleted Mp3 Recovery - How to Restore Deleted Mp3 Files Easily
How to Install & Adjust the Extractor on the M-1911
How to Install & Adjust the Extractor on the M-1911
Home Security Cameras Provide Additional Reassurance
Home Security Cameras Provide Additional Reassurance
How to Recover Digital Pictures and Raw Images: an Easy Way
How to Recover Digital Pictures and Raw Images: an Easy Way
Data Recovery Vendor Considerations
Data Recovery Vendor Considerations
Resolving “The Delegate page is not available” Exchange Server Error
Resolving “The Delegate page is not available” Exchange Server Error
Malware Software to Remove Spyware and Adware in Computer
Malware Software to Remove Spyware and Adware in Computer

Leave Your Reply

*