Threat Description

Doomjuice

Details

Aliases: Mydoom.C, Worm.Win32.Doomjuice, W32.HLLW.Doomjuice, WORM_DOOMJUICE.A, W32/Doomjuice.worm
Category: Malware
Type: Worm
Platform: W32

Summary


NOTE: A new variant, Doomjuice.B has been found. See: https://www.f-secure.com/v-descs/doomjuiceb.shtml

Doomjuice worm, also known as Mydoom.C, was found on February 9th, 2004. It infects machines which are already infected by Mydoom.A. It does not spread over email at all.

Doomjuice worm does not attack sco.com but it tries to perform a Distributed Denial-of-Service attack on microsoft.com.

F-Secure monitors the ongoing Mydoom-related attacks in our Weblog: https://www.f-secure.com/weblog/



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Network Propagation

Doomjuice spreads between computers that are already infected with the Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate machines with the backdoor open, Doomjuice scans random IP addresses by trying to connect to TCP port 3127. If the port is open the worm sends itself in a specially crafted package that makes the Mydoom.A infected machine to execute the file thus infecting it with Doomjuice too.

System Infection

After entering the system Doomjuice copies itself to the Windows System Directory as 'intrenat.exe'. The copy is added to the registry as

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gremlin
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gremlin
Distributed Denial-of-Service Attack

After the 8th of February the starts a DDoS attack against www.microsoft.com. Between 8th and 12th of February the worm will wait for up to 365 seconds. After the 12th it will start the attack right away.

In order to overload www.microsoft.com the worm starts 16-96 parallel threads that connect to the web site and try to download the main page in an infinite loop.

Payload

One of Doomjuice's payloads is that it drops the source code of Mydoom.A in a bzip2 compressed TAR archive. The file is dropped the root of all hard drives and the user's profile directory as 'sync-src-1.00.tbz'.



Detection


Detection in F-Secure Anti-Virus was published in update:

Detection Type: PC
Database: 2004-02-09_04



Description Details: Katrin Tocheva; February 9th, 2004
Technical Details:Gergely Erdelyi; February 9th, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More