Doomjuice worm, also known as Mydoom.C, was found on February 9th, 2004.
It infects machines which are already infected by Mydoom.A. It does
not spread over email at all.
Doomjuice worm does not attack sco.com but it tries to perform a
Distributed Denial-of-Service attack on microsoft.com.
Doomjuice spreads between computers that are already infected with the
Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate
machines with the backdoor open, Doomjuice scans random IP addresses
by trying to connect to TCP port 3127. If the port is open the worm sends
itself in a specially crafted package that makes the Mydoom.A infected
machine to execute the file thus infecting it with Doomjuice too.
System Infection
After entering the system Doomjuice copies itself to the Windows System
Directory as 'intrenat.exe'. The copy is added to the registry as
After the 8th of February the starts a DDoS attack against
www.microsoft.com. Between 8th and 12th of February the worm will
wait for up to 365 seconds. After the 12th it will start the attack
right away.
In order to overload www.microsoft.com the worm starts 16-96 parallel
threads that connect to the web site and try to download the main page
in an infinite loop.
Payload
One of Doomjuice's payloads is that it drops the source code
of Mydoom.A in a bzip2 compressed TAR archive. The file is dropped
the root of all hard drives and the user's profile directory as
'sync-src-1.00.tbz'.
