There’s a third Mydoom out there and it’s called Doomjuice.

Its attack program started yesterday but unlike Mydoom A, it’s not after SCO and it’s not carried by email, says F-Secure which found the first version.

Rather, it ‘infects’ machines already polluted with Mydoom.A and its sole purpose is to carry out a DDoS (Distributed Denial-of-Service) attack on microsoft.com.

“To locate machines with the backdoor open, Doomjuice scans random IP addresses by trying to connect to TCP port 3127,” says F-Secure here.

“If the port is open the worm sends itself in a specially crafted package that makes the Mydoom.A infected machine to execute the file thus infecting it with Doomjuice too.”

After penetrating the system, Doomjuice copies itself to the Windows System Directory as ‘intrenat.exe’ that’s in turn added to the registry as:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunGremlin HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunGremlin

Between February 8th and 12, “the worm will wait for up to 365 seconds,” says F-Secure. “After the 12th it will start the attack right away.

“In order to overload www.microsoft.com the worm starts 16-80 parallel threads that connect to the web site and try to download the main page in an infinite loop.

“One of Doomjuice’s payloads is that it drops the source code of Mydoom.A in a bzip2 compressed TAR archive. The file is dropped the root of all hard drives and the user’s profile directory as ’sync-src-1.00.tbz’.”

This entry was posted on Monday, February 9th, 2004 at 8:40 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2944 times