W32/Doomjuice.A
| W32/Doomjuice.A |
Destructivity:  Spreading:  Overall risk:
|
| • Detected by virus detection files published: 2/11/2004 | • Type: Worm |
| • Virus characteristics first published: 2/11/2004 | • Spreading mechanism: Other |
| • Virus characteristics latest update: 3/19/2004 | • Overall risk: Low |
| • Alias: W32/MyDoom.C | • Payload: Denial of service attack |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
This network worm spreads only to computers that already are infected with the MyDoom series of worms and that have the backdoor installed by MyDoom open. When the worm is first run, it will install a mutex named "sync-Z-mtx_133" in order to avoid installing twice in memory. It will now copy itself to the Windows System directory using the name [SYSTEM]INTRENAT.EXE. The following registry keys are created: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run Doomjuice now creates a file called sync-src-1.00.tbz on the root directory of every local and mapped network drive from C:\ to Y:\, in the Windows directory, System directory, Temp directory and in the current users userprofile directory. This file is a TAR-BZIP archive containing the source code of the original MyDoom.A variant. The main spread routine consists of a separate thread that generates random IP addresses and attempts to connect to these machines on port 3127. If a MyDoom-installed backdoor exists there, the worm will be uploaded and run on these machines. |
||||||||||||||