Also Known As: W32/Doomjuice.worm.a [McAfee], WORM_DOOMJUICE.A [Trend], Win32.Doomjuice.A [Computer Associates], Worm.Win32.Doomjuice [Kaspersky], W32/Doomjuice-A [Sophos]
Type: Worm
Infection Length: 36,864 bytes
Systems Affected:
Win 95/98/Me/NT/2000/XP/ Windows Server 2003
Authors of Mydoom worm launched yet another attack
New worm tries to loose the evidence
A new network worm known as Doomjuice has been found. This worm is closely
associated with the previous Mydoom worms. It infects Windows machines which
are already infected by Mydoom.A. On such machines the worm will infect the
computer totally automatically - the owner of the computer can be sleeping
and still get Doomjuice to his computer. Doomjuice does not spread over email
at all.
Doomjuice has launched a world-wide denial-of-service attack against
www.microsoft.com - one of the largest websites in the world. Currently
www.microsoft.com seems to be operational, but a disruption in service has
been noted earlier during Monday the 9th of February.
Doomjuice spreads between computers that are already infected with the
Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate machines
with the backdoor open, Doomjuice scans random internet addresses. When it
finds a machine that is infected by Mydoom.A, it sends itself over infecting
it with Doomjuice too.
Doomjuice drops the original source code of the Mydoom.A worm in an archive
to several folders of infected computers. "This proves to us that Doomjuice
and Mydoom.A are written by the same people", comments Mikko Hypponen,
Director of Anti-Virus Research at F-Secure. "The source code of Mydoom.A has
not been seen circulating in the underground before."
The motivation to distribute source seems to be simple. "The authors know the
police is looking for them. And the best evidence against them would be the
possession of the original source code of the virus. Before the Doomjuice
incident, only the authors of Mydoom.A had the original source code. Now
probably tens of thousands of people have it on their hard drive - without
knowing it", says Hypponen.
The worm has been programmed to start a distributed denial-of-service attack
against www.microsoft.com after the 8th of February, which is when the worm
was probably distributed. The attacks will continue forever and will try to
overload the website by repeatedly reloading the front page.
Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/doomjuice.shtml
___________________________________________
From; TREND
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A>
Description:
TrendLabs has received several infection reports of this network worm.
This worm scans for open port 3127 on randomly generated IP addresses.
It propagates across systems that are already infected by
WORM_MYDOOM.A and WORM_MYDOOM.B.
On system dates between February 9 and 12, this malware creates a denial of service (DoS) attack thread.
It sleeps for a period of time before performing a DoS attack against the following Web site:
microsoft.com
On system dates above February 13, it continually creates DoS threads with no delay.
This malware runs on Windows 95, 98, ME, NT, 2000 and XP.
Identifying the Malware Program
To remove this malware, first identify the malware program.
1/ Scan your system with your Trend Micro antivirus product.
2/ NOTE all files detected as WORM_DOOMJUICE.A.
Terminating the Malware Program
This procedure terminates the running malware process from memory.
You will need the name(s) of the file(s) detected earlier.
1/ Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
2/ In the list of running programs, locate the malware file or files detected earlier.
3/ Select the malware process, then press either the End Task or
the End Process button, depending on the version of Windows on your system.
4/ Do the same for all detected malware files in the list of running processes.
5/ To check if the malware process has been terminated,
close Task Manager, and then open it again.
6/ Close Task Manager.
*NOTE: On systems running Windows 9x/ME, Task Manager may not
show certain processes. You may use a third party process viewer to
terminate the malware process. Otherwise, continue with the next
procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
1/ Open Registry Editor.
To do this, click Start>Run, type Regedit, then press Enter.
2/ In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
3/ In the right panel, locate and delete the entry:
Gremlin = "C:\<%System%>intrenat.exe"
Note: %System% is the Windows system folder, which is usually
C:\Windows\System on Windows 95, 98 and ME,
C:\WINNT\System32 on Windows NT and 2000, and
C:\Windows\System32 on Windows XP.
4/ Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory
as described in the previous procedure, restart your system.
_______________________________________________
Microsoft;
http://www.microsoft.com/security/antivirus/mydoom.asp
Microsoft Remover Overview
This tool will
help to remove the Mydoom.A, Mydoom.B, Doomjuice.A (aka "MyDoom.C"), and
Doomjuice.B worms from infected systems. Once the tool has run—after the
End-User License Agreement (EULA) is accepted—it automatically checks for
infection and removes any of the targeted worms that are found. If a machine is
infected with the Mydoom.B worm, the tool will also provide the user with the
default version of the hosts file and set the "read-only" attribute for that
file. This action will allow the user to visit previously-blocked Microsoft and
antivirus websites.
http://www.microsoft.com/downloads/details.aspx?FamilyID=c14bfbe4-3d50-464d-a26c-9c287f8a08c5&displaylang=en
Panda;
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=44510>
Sophos
http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html>
Symantec;
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html>
Trend;
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A>
Doomjuice B info:
http://www.viruslist.com/eng/viruslist.html?id=850737
I-Worm.Mydoom.b
Mydoom.b is a modification of Mydoom.a
that spreads via the Internet in the form of files attached to infected messages
and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file
of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is
approximately 49KB in size.
The worm is activated only if the user opens the archive and launches the
infected file by double-clicking on the attachment. The worm then installs
itself in the system and starts the replication process.
The worm contains a backdoor function, and is also programmed to carry out
DoS attacks on the sites www.sco.com and www.microsoft.com.
Part of the body of the worm is encrypted.
The unpacked file contains the following text:
(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)
Installation
Following launch, the worm opens Windows Notepad, showing a random selection of
symbols:
During installation, the worm copies itself under the name explorer.exe to
the Windows system directory, and registers this file in the system registry
auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = "%System%\explorer.exe"
The worm creates the file
ctfmon.dll in the Windows system directory
which is a backdoor component (a proxy server) and also registers this in the
system registry:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
"Apartment" = "%SysDir%\ctfmon.dll"
Ctfmon.dll will therefore launch as a procedure linked to Explorer.exe.
The worm also creates a file called Body in the temporary directory
(usually in %windir%\temp). This file contains a random selection of symbols.
So that the worm can identify itself in the system, it creates several
additional keys in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
While running it also creates a unique identifier sync-v1.01__ipcmtx0.
Mydoom.b replaces the standard file 'hosts' in the Windows directory into
with its own version (under the same name). This file will now prevent user
access to the following domains:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
|
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
|
Mailing letters
Emails are sent in the same way that
Mydoom.a
uses except for the following changes.
The body text is chosen at random from the following:
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received
The message contains Unicode characters and
has been sent asa binary attachment.
The message contains MIME-encoded graphics and
has been sent as a binary attachment
Mail transaction failed. Partial message is available.
Mydoom.b might also send emails with random strings of characters in the
subject, body and attachment name.
Propagation via P2P
The worm checks for the presence of a Kazaa client on the computer and copies
itself to the file-sharing directory under the following names:
NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final
with the following extensions:
bat
exe
scr
pif
More information about W32/Doomjuice-B can be found at:
Sorphos;
http://www.sophos.com/virusinfo/analyses/w32doomjuiceb.html
Panda;
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=44548&sind=0
Top
Top
Send comments, questions about this
Web page to webmaster
Updated - 02/13/04