Mikes Virus Info DOOMJUICE

Back To MYTECH

Mike's VIRUS INFO PAGES
To VIRUS INFO main
To Mike's VIRUS INFO Page 2
To Mike's VIRUS INFO HACKFIX TIPS Page 3
To HACKFIX PROGRAM UPDATES Page 4
To ME_XP Restore
Uninstalling_Norton_AV
Mike's VirusInfo Virus Information Feeds
Mike's Virus Removers
VIRUS ALERTS Feed

My Doom Information


Doomjuice

Also Known As:  W32/Doomjuice.worm.a [McAfee], WORM_DOOMJUICE.A [Trend], Win32.Doomjuice.A [Computer Associates], Worm.Win32.Doomjuice [Kaspersky], W32/Doomjuice-A [Sophos]
 
Type:  Worm
Infection Length:  36,864 bytes
 
Systems Affected:
Win 95/98/Me/NT/2000/XP/ Windows Server 2003

Authors of Mydoom worm launched yet another attack
New worm tries to loose the evidence

A new network worm known as Doomjuice has been found. This worm is closely
associated with the previous Mydoom worms. It infects Windows machines which
are already infected by Mydoom.A. On such machines the worm will infect the
computer totally automatically - the owner of the computer can be sleeping
and still get Doomjuice to his computer. Doomjuice does not spread over email
at all.

Doomjuice has launched a world-wide denial-of-service attack against
www.microsoft.com - one of the largest websites in the world. Currently
www.microsoft.com seems to be operational, but a disruption in service has
been noted earlier during Monday the 9th of February.

Doomjuice spreads between computers that are already infected with the
Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate machines
with the backdoor open, Doomjuice scans random internet addresses. When it
finds a machine that is infected by Mydoom.A, it sends itself over infecting
it with Doomjuice too.

Doomjuice drops the original source code of the Mydoom.A worm in an archive
to several folders of infected computers. "This proves to us that Doomjuice
and Mydoom.A are written by the same people", comments Mikko Hypponen,
Director of Anti-Virus Research at F-Secure. "The source code of Mydoom.A has
not been seen circulating in the underground before."

The motivation to distribute source seems to be simple. "The authors know the
police is looking for them. And the best evidence against them would be the
possession of the original source code of the virus. Before the Doomjuice
incident, only the authors of Mydoom.A had the original source code. Now
probably tens of thousands of people have it on their hard drive - without
knowing it", says Hypponen.

The worm has been programmed to start a distributed denial-of-service attack
against www.microsoft.com after the 8th of February, which is when the worm
was probably distributed. The attacks will continue forever and will try to
overload the website by repeatedly reloading the front page.

Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/doomjuice.shtml
___________________________________________

From; TREND
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A>
Description:

TrendLabs has received several infection reports of this network worm.

This worm scans for open port 3127 on randomly generated IP addresses.
It propagates across systems that are already infected by
WORM_MYDOOM.A and WORM_MYDOOM.B.

On system dates between February 9 and 12, this malware creates a denial of service (DoS) attack thread.
It sleeps for a period of time before performing a DoS attack against the following Web site:

microsoft.com
On system dates above February 13, it continually creates DoS threads with no delay.

This malware runs on Windows 95, 98, ME, NT, 2000 and XP.


Identifying the Malware Program

To remove this malware, first identify the malware program.

1/ Scan your system with your Trend Micro antivirus product.
2/ NOTE all files detected as WORM_DOOMJUICE.A.
 
Terminating the Malware Program

This procedure terminates the running malware process from memory.
You will need the name(s) of the file(s) detected earlier.

1/  Open Windows Task Manager.
     On Windows 95/98/ME systems, press
     CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, and click the Processes tab.
2/ In the list of running programs, locate the malware file or files detected earlier.
3/ Select the malware process, then press either the End Task or
    the End Process button, depending on the version of Windows on your system.
4/ Do the same for all detected malware files in the list of running processes.
5/ To check if the malware process has been terminated,
    close Task Manager, and then open it again.
6/ Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Task Manager may not
show certain processes. You may use a third party process viewer to
terminate the malware process. Otherwise, continue with the next
procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

1/   Open Registry Editor.
     To do this, click Start>Run, type Regedit, then press Enter.
2/   In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
3/   In the right panel, locate and delete the entry:
      Gremlin = "C:\<%System%>intrenat.exe"
    Note: %System% is the Windows system folder, which is usually
    C:\Windows\System on Windows 95, 98 and ME,
    C:\WINNT\System32 on Windows NT and 2000, and
    C:\Windows\System32 on Windows XP.

4/  Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory
as described in the previous procedure, restart your system.
_______________________________________________
Microsoft;
http://www.microsoft.com/security/antivirus/mydoom.asp

Microsoft Remover Overview

This tool will help to remove the Mydoom.A, Mydoom.B, Doomjuice.A (aka "MyDoom.C"), and Doomjuice.B worms from infected systems. Once the tool has run—after the End-User License Agreement (EULA) is accepted—it automatically checks for infection and removes any of the targeted worms that are found. If a machine is infected with the Mydoom.B worm, the tool will also provide the user with the default version of the hosts file and set the "read-only" attribute for that file. This action will allow the user to visit previously-blocked Microsoft and antivirus websites.
http://www.microsoft.com/downloads/details.aspx?FamilyID=c14bfbe4-3d50-464d-a26c-9c287f8a08c5&displaylang=en

Panda;
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=44510>

Sophos
http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html>

Symantec;
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html>

Trend;
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A>



 

Doomjuice B info:
http://www.viruslist.com/eng/viruslist.html?id=850737

I-Worm.Mydoom.b

 

Mydoom.b is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is approximately 49KB in size.

The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.

The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.

Part of the body of the worm is encrypted.

The unpacked file contains the following text:

(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

Installation

Following launch, the worm opens Windows Notepad, showing a random selection of symbols:

During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "TaskMon" = "%System%\explorer.exe"
The worm creates the file ctfmon.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
 "Apartment" = "%SysDir%\ctfmon.dll"
Ctfmon.dll will therefore launch as a procedure linked to Explorer.exe.

The worm also creates a file called Body in the temporary directory (usually in %windir%\temp). This file contains a random selection of symbols.

So that the worm can identify itself in the system, it creates several additional keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
While running it also creates a unique identifier sync-v1.01__ipcmtx0.

Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name). This file will now prevent user access to the following domains:

 
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com

Mailing letters

Emails are sent in the same way that Mydoom.a uses except for the following changes.

The body text is chosen at random from the following:

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.
Mydoom.b might also send emails with random strings of characters in the subject, body and attachment name.

Propagation via P2P

The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:
NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final
with the following extensions:
bat
exe
scr
pif

More information about W32/Doomjuice-B can be found at:
Sorphos;
http://www.sophos.com/virusinfo/analyses/w32doomjuiceb.html

Panda;
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=44548&sind=0


Top


Mike's VIRUS INFO PAGES
To VIRUS INFO main
To Mike's VIRUS INFO Page 2
To Mike's VIRUS INFO HACKFIX TIPS Page 3
To HACKFIX PROGRAM UPDATES Page 4
To ME_XP Restore
Uninstalling_Norton_AV
Mike's VirusInfo Virus Information Feeds
Mike's Virus Removers
VIRUS ALERTS Feed

Top

Send comments, questions about this Web page to webmaster


Updated - 02/13/04