Authors of Mydoom worm launched yet another attack New worm tries to loose the evidence Helsinki, Finland - February 9, 2004 A new network worm known as Doomjuice has been found. This worm is closely associated with the previous Mydoom worms. It infects Windows machines which are already infected by Mydoom.A. On such machines the worm will infect the computer totally automatically - the owner of the computer can be sleeping and still get Doomjuice to his computer. Doomjuice does not spread over email at all. Doomjuice has launched a world-wide denial-of-service attack against www.microsoft.com - one of the largest websites in the world. Currently www.microsoft.com seems to be operational, but a disruption in service has been noted earlier during Monday the 9th of February. Doomjuice spreads between computers that are already infected with the Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate machines with the backdoor open, Doomjuice scans random internet addresses. When it finds a machine that is infected by Mydoom.A, it sends itself over infecting it with Doomjuice too. Doomjuice drops the original source code of the Mydoom.A worm in an archive to several folders of infected computers. "This proves to us that Doomjuice and Mydoom.A are written by the same people", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "The source code of Mydoom.A has not been seen circulating in the underground before." The motivation to distribute source seems to be simple. "The authors know the police is looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive - without knowing it", says Hypponen. The worm has been programmed to start a distributed denial-of-service attack against www.microsoft.com after the 8th of February, which is when the worm was probably distributed. The attacks will continue forever and will try to overload the website by repeatedly reloading the front page. Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/doomjuice.shtml F-Secure monitors the ongoing attacks against www.sco.com and www.microsoft.com by the Mydoom-related viruses in our Weblog: http://www.f-secure.com/weblog/ F-Secure Anti-Virus can detect and stop the Doomjuice and Mydoom worms. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com About F-Secure F-Secure Corporation protects individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus, desktop firewall with intrusion prevention and network encryption. Our key strength is the speed of response to new threats and for businesses our solutions feature centralized management. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of value added resellers and distributors in over 50 countries. F-Secure protection is also available through major Internet Service Providers, such as Deutsche Telekom and leading mobile equipment manufacturers, such as Nokia. For more information, please contact: Finland: F-Secure Corporation Mikko Hypponen, Director, Antivirus Research PL 24 FIN-00181 Helsinki Tel +358 9 2520 5513 Fax. +358 9 2520 5001 Email mikko.hypponen@f-secure.com Media contact in the USA: F-Secure Inc. Heather Deem, 675 N. First Street, 5th Floor San Jose, CA 95112 Tel +1 408 350 2178 Fax +1 408 938 6701 Email heather.deem@f-secure.com