| Name | Win32.DoomJuice |
| Threat Level |  |
| Alias | MyDoom.c, W32.HLLW.Doomjuice, W32/Doomjuice.worm.a, WORM_DOOMJUICE.A, Win32.Doomjuice.A, Worm.Win32.Doomjuice, W32/Doomjuice-A |
| Date | 10 February, 2004 |
| Type | Win32,Worm |
| Damage | Create files,Remote control,Other |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.DoomJuice is a worm that spreads ONLY on systems already infected with Win32.MyDoom.a and Win32.MyDoom.b. It spreads itself by scanning for systems infected by these variants. Once it locates an infected target it will send itself via TCP port 3127. The MyDoom worm already present on the system will launch the arriving file and add the Win32.DoomJuice infection to the system. When executed, Win32.DoomJuice launches a DoS attack against Microsoft's website.
Microsoft recently released a utility that cleans systems infected by the MyDoom worm (all current versions). The cleaner and additional information are available here.
Malicious activity
When the worm is received by a system infected with the MyDoom vandal, it will automatically be executed and do the following:
1. Drop a copy of itself in the default System folder as intrenat.exe.
2. Modifies the registry in order to run on every startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
"Gremlin" = " sysdir \intrenat.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
"Gremlin" = " sysdir \intrenat.exe"
Note: sysdir refers to the default location of the System folder.
3. The worm then connects to the same port it used to get through (TCP port 3127) and listens for remote commands. If commands are received, the worm will send itself to the system that contacted it.
4. Finally the worm launches a DoS (Denial of Service) attack against www.microsoft.com.
eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.
A new vandal/virus update is available.
Update date: February 10, 2004
Update version: EV115-SV290
eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
