The LURHQ Threat Intelligence Group has uncovered an Internet worm exploiting MyDoom.A victims. Dubbed Doomjuice or MyDoom.C depending on the vendor, this new worm spreads to systems already infected with MyDoom.A, leveraging the backdoor left in place by that worm. Doomjuice doesn't spread via email or KaZaA as did MyDoom.A. Instead, the worm spreads via port 3127 only.
Mikko Hypponen, Director of Anti-Virus Research at F-Secure reports that Doomjuice drops the original source code of the Mydoom.A worm in an archive to several folders of infected computers.
"This proves to us that Doomjuice and Mydoom.A are written by the same people", Mikko commented. "The source code of Mydoom.A has not been seen circulating in the underground before."
He also believes the motivation to distribute the source code seems simple. "The authors know the police [are] looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive - without knowing it," continued Hypponen.
According to Joe Stewart, Senior Security Researcher for LURHQ, Doomjuice starts 64 threads, each choosing a random class C network and attempting to connect to each host. If successful, the worm uploads a copy of itself to them. Once a thread reaches host .254 it picks a new random class C and repeats the process.
Whereas MyDoom.A launched a Denial of Service (DoS) attack against www.sco.com, Doomjuice attempts a DoS attack only against Microsoft.
Additionally, the date/time correlation error that caused MyDoom.A's DoS to fail a certain percentage of the time has been corrected by the author of Doomjuice.
If Doomjuice is launched between February 8th through February 12th, it first sleeps for a random period of time. The worm then spawns 80 threads, all of which send HTTP GET requests to www.microsoft.com. If started on February 12 or later, the Doomjuice DoS is launched immediately. Also unlike MyDoom.A, the Doomjuice has no shutoff date. The DoS and the spread of the worm can continue indefinitely. Conversely, MyDoom.A was programmed to stop both its spread and its DoS after February 12th.
According to research performed by the LURHQ Threat Intelligence Group, Doomjuice does the following:
Manual removal
To remove Doomjuice:
Note: Doomjuice infects only those systems already infected by MyDoom.A. It does not remove nor impact the existing MyDoom.A infection. For further details, see the MyDoom.A description.
Mikko Hypponen, Director of Anti-Virus Research at F-Secure reports that Doomjuice drops the original source code of the Mydoom.A worm in an archive to several folders of infected computers.
"This proves to us that Doomjuice and Mydoom.A are written by the same people", Mikko commented. "The source code of Mydoom.A has not been seen circulating in the underground before."
He also believes the motivation to distribute the source code seems simple. "The authors know the police [are] looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive - without knowing it," continued Hypponen.
According to Joe Stewart, Senior Security Researcher for LURHQ, Doomjuice starts 64 threads, each choosing a random class C network and attempting to connect to each host. If successful, the worm uploads a copy of itself to them. Once a thread reaches host .254 it picks a new random class C and repeats the process.
Whereas MyDoom.A launched a Denial of Service (DoS) attack against www.sco.com, Doomjuice attempts a DoS attack only against Microsoft.
Additionally, the date/time correlation error that caused MyDoom.A's DoS to fail a certain percentage of the time has been corrected by the author of Doomjuice.
If Doomjuice is launched between February 8th through February 12th, it first sleeps for a random period of time. The worm then spawns 80 threads, all of which send HTTP GET requests to www.microsoft.com. If started on February 12 or later, the Doomjuice DoS is launched immediately. Also unlike MyDoom.A, the Doomjuice has no shutoff date. The DoS and the spread of the worm can continue indefinitely. Conversely, MyDoom.A was programmed to stop both its spread and its DoS after February 12th.
According to research performed by the LURHQ Threat Intelligence Group, Doomjuice does the following:
- Creates a mutex named sync-Z-mtx_133 to ensure only one copy of the worm is running in memory.
- Copies itself to the Windows\System directory as intrenat.exe.
- Modifies the registry to load on startup as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Gremlin" = C:\Windows\System\intrenat.exe
(where C:\Windows\System is the location of the users' Windows System directory. This can vary by OS and user preference)
Manual removal
To remove Doomjuice:
- Use Windows Task Manager to kill the running intrenat.exe process
- Remove the registry edit made by the worm
- Reboot the system
Note: Doomjuice infects only those systems already infected by MyDoom.A. It does not remove nor impact the existing MyDoom.A infection. For further details, see the MyDoom.A description.
SHARE