Doomjuice Saga Continues
11 Feb 2004
Kaspersky Lab, a leading information security software developer, has detected a second version of the Internet worm Doomjuice - Doomjuice.b. It propagates using the same methods as the original Doomjuice
: both worms scan the Internet for computers infected either by Mydoom.a
. Doomjuice uses port 3127, breached earlier by Mydoom, to install copies of itself, which the Trojan component of Mydoom then launches.
However, Doomjuice.b differs from the previous version in that Doomjuice.b has been created solely to conduct a DoS attack on the Microsoft site. The worm first copies itself into the Windows directory under the name regedit.exe and then registers this file in the system registry auto-run key. Once installation is complete Doomjuice checks the system date. The DoS attack will be launched in any month of any year except January, excluding dates between the 8th and 12th of the month. If the system date meets these requirements, Doomjuice sends multiple get requests to port 80 on www.microsoft.com.
The author of Doomjuice.b uses a server request technique previously unknown for Internet worms: the worm's request mimics the Internet Explorer request text. As a result, requests from infected computers may not be blocked, as this technique makes it more difficult to distinguish between valid requests and ones generated by Doomjuice.b. This feature potentially increases the destructive capabilities of the worm. If Doomjuice.b becomes wide-spread, Microsoft may need to implement some of the security measures intended for such eventualities.
Kaspersky Lab has already updated the anti-virus database with protection against Doomjuice.b. A detailed description of the worm is available in the Kaspersky Virus Encyclopedia