Classification

Category :

Malware

Type :

Worm

Aliases :

Mydoom.C, Worm.Win32.Doomjuice, W32.HLLW.Doomjuice, WORM_DOOMJUICE.A, W32/Doomjuice.worm

Summary

NOTE: A new variant, Doomjuice.B has been found. See: https://www.f-secure.com/v-descs/doomjuiceb.shtml

Doomjuice worm, also known as Mydoom.C, was found on February 9th, 2004. It infects machines which are already infected by Mydoom.A. It does not spread over email at all.

Doomjuice worm does not attack sco.com but it tries to perform a Distributed Denial-of-Service attack on microsoft.com.

F-Secure monitors the ongoing Mydoom-related attacks in our Weblog: https://www.f-secure.com/weblog/

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Network Propagation

Doomjuice spreads between computers that are already infected with the Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate machines with the backdoor open, Doomjuice scans random IP addresses by trying to connect to TCP port 3127. If the port is open the worm sends itself in a specially crafted package that makes the Mydoom.A infected machine to execute the file thus infecting it with Doomjuice too.

System Infection

After entering the system Doomjuice copies itself to the Windows System Directory as 'intrenat.exe'. The copy is added to the registry as

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gremlin
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gremlin

Distributed Denial-of-Service Attack

After the 8th of February the starts a DDoS attack against www.microsoft.com. Between 8th and 12th of February the worm will wait for up to 365 seconds. After the 12th it will start the attack right away.

In order to overload www.microsoft.com the worm starts 16-96 parallel threads that connect to the web site and try to download the main page in an infinite loop.

Payload

One of Doomjuice's payloads is that it drops the source code of Mydoom.A in a bzip2 compressed TAR archive. The file is dropped the root of all hard drives and the user's profile directory as 'sync-src-1.00.tbz'.