Author of Mydoom produces a new worm threatening Microsoft
10 Feb 2004
Kaspersky Lab has detected Doomjuice, a potentially dangerous new Internet worm. Doomjuice was first detected on 9th February; it has already infected more than 100,000 computers across the world and is continuing to spread rapidly. According to Kaspersky Lab analysts, Doomjuice was written by the same person as Mydoom, possibly the most destructive virus ever, to cover the virus writer's tracks. Furthermore, this new Internet worm uses computers infected by Mydoom.a
to organize an DDoS attack on the Microsoft website.
The progagation method used by Doomjuice explains the rapid spread of the worm. It uses computers already infected by Mydoom.a and Mydoom.b
to spread via the Internet. The worm penetrates computers via TCP port 3127, opened by the Trojan component of Mydoom in order to receive remote commands. If the infected computer answers the request sent by the worm, Doomjuice connects and sends a copy of itself to the victim machine. The Trojan installed by Mydoom then executes the file.
Once launched, the worm copies itself to the Windows system directory under the name Intrenat.exe and registers this file in the system registry auto-run key. This ensures that the malicious program is launched every time the computer is restarted. Doomjuice then executes its prime function: it extracts a file named 'sync-src-1.00.tbz' and copies this file to the root directory, the Windows directory, the Windows system directory and to user directories in Documents and Settings. This file is a TAR archive which contains the complete source code of Mydoom.a. The goal seems to be to spread Mydoom even further, thus making it increasingly difficult to identify the original author.
Doomjuice is also programmed to carry out a DoS attack on the Microsoft site. Prior to 12th February, this will be a modified attack; the worm sends a single GET request to port 80, and repeats this at random intervals. However, after 12th February, the worm will launch a full-scale attack on the site. Given the number of computers originally infected by Mydoom, if Doomjuice continues to spread successfully, it could present a potential threat to Microsoft.
"The author of Doomjuice is not only making it difficult to trace the creator of Mydoom, but also making the source code of Mydoom.a available for everyone whose machine is infected by Doomjuice. Anyone with basic programming skills can use the Mydoom.a source code to created a clone," comments Eugene Kaspersky, Kaspersky Lab' Head of Anti-virus Research, "In fact, I think that we may be seeing a large number of Mydoom clones in the wild very soon".