Article

Doomjuice worm feeds off Mydoom

Edward Hurley, News Writer

Is your system infected with Mydoom-A? If so, then you're liable to get a new network worm that's making the rounds -- and contributing to the headaches over at Microsoft. The software giant's Web site is scheduled to be bombarded with bad traffic generated by this latest malware variant.

Doomjuice-A targets machines infected by Mydoom-A. Unlike Mydoom-A, a mass mailer that spreads via e-mail, Doomjuice spreads by scanning random IP addresses for port 3127.

Doomjuice isn't the only worm targeting the port opened by Mydoom. Similarly programmed Deadhat-A, or Vesser-A, appeared over the weekend but never gained much traction.

Also, it appears that spammers are using the open port to create systems for sending out e-mails, said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc.

How wide Doomjuice will spread depends on how many systems are still infected with Mydoom-A. Dunham has heard estimates that range from 500,000 to 1 million.

There are things people can do to prevent infection by Doomjuice. The first is to make sure systems don't contain Mydoom-A -- one way to do so is to run a virus scan after downloading the latest signature update. Also, it's a good idea to make sure port 3127 isn't open.

But, because Doomjuice is a network worm, there really isn't much else companies can do to prevent it. No user interaction is needed for the worm to infect a system. If port 3127 is open, the worm sends itself.

    Requires Free Membership to View

The worm also drops a copy of the source code for Mydoom-A as a bzip2 compressed TAR archive, according to Helsinki, Finland-based antivirus software vendor F-Secure Corp.

For this reason, experts think the creator of Mydoom-A is behind Doomjuice. Some think the author could have included the Mydoom-A code in Doomjuice to cover his legal tracks in case he's ever caught. But others worry that, if Doomjuice is successful, the code for Mydoom-A will be widely available, which could mean more worms based on it.

After infecting a system, Doomjuice removes Mydoom-A and –B from systems, so no other attackers can exploit machines through port 3127. It then starts a distributed denial-of-service attack on www.microsoft.com. Interestingly, the DDoS attack is slated to start slowly. Then, on Feb. 12, the worm begins to bombard Microsoft constantly.

Feb. 12 is the date when Mydoom-A stops its DDoS attack on the SCO Group's Web site. There is no kill date for Doomjuice.

"It's a way for the writer to redeem himself," Dunham said, noting that Mydoom-B, which targeted Microsoft's site, never took off.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: