Doomjuice worm feeds off Mydoom

A new network worm appeared yesterday, which takes advantage of machines compromised by Mydoom-A. After infecting machines, Doomjuice tries to launch a distributed denial of service attack on Microsoft's Web site.

Is your system infected with Mydoom-A? If so, then you're liable to get a new network worm that's making the rounds...

-- and contributing to the headaches over at Microsoft. The software giant's Web site is scheduled to be bombarded with bad traffic generated by this latest malware variant.

Doomjuice-A targets machines infected by Mydoom-A. Unlike Mydoom-A, a mass mailer that spreads via e-mail, Doomjuice spreads by scanning random IP addresses for port 3127.

Doomjuice isn't the only worm targeting the port opened by Mydoom. Similarly programmed Deadhat-A, or Vesser-A, appeared over the weekend but never gained much traction.

Also, it appears that spammers are using the open port to create systems for sending out e-mails, said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc.

How wide Doomjuice will spread depends on how many systems are still infected with Mydoom-A. Dunham has heard estimates that range from 500,000 to 1 million.

There are things people can do to prevent infection by Doomjuice. The first is to make sure systems don't contain Mydoom-A -- one way to do so is to run a virus scan after downloading the latest signature update. Also, it's a good idea to make sure port 3127 isn't open.

But, because Doomjuice is a network worm, there really isn't much else companies can do to prevent it. No user interaction is needed for the worm to infect a system. If port 3127 is open, the worm sends itself. The worm also drops a copy of the source code for Mydoom-A as a bzip2 compressed TAR archive, according to Helsinki, Finland-based antivirus software vendor F-Secure Corp.

For this reason, experts think the creator of Mydoom-A is behind Doomjuice. Some think the author could have included the Mydoom-A code in Doomjuice to cover his legal tracks in case he's ever caught. But others worry that, if Doomjuice is successful, the code for Mydoom-A will be widely available, which could mean more worms based on it.

After infecting a system, Doomjuice removes Mydoom-A and –B from systems, so no other attackers can exploit machines through port 3127. It then starts a distributed denial-of-service attack on Interestingly, the DDoS attack is slated to start slowly. Then, on Feb. 12, the worm begins to bombard Microsoft constantly.

Feb. 12 is the date when Mydoom-A stops its DDoS attack on the SCO Group's Web site. There is no kill date for Doomjuice.

"It's a way for the writer to redeem himself," Dunham said, noting that Mydoom-B, which targeted Microsoft's site, never took off.

Dig Deeper on Malware, Viruses, Trojans and Spyware



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: