Doomjuice worm feeds off Mydoom |
 |
By Edward Hurley, News Writer
10 Feb 2004 | SearchSecurity.com |
|
|
Is your system infected with Mydoom-A? If so, then you're liable to get a new network worm that's making the rounds -- and contributing to the headaches over at Microsoft. The software giant's Web site is scheduled to be bombarded with bad traffic generated by this latest malware variant.
Doomjuice-A targets machines infected by Mydoom-A. Unlike Mydoom-A, a mass mailer that spreads via e-mail, Doomjuice spreads by scanning random IP addresses for port 3127.
Doomjuice isn't the only worm targeting the port opened by Mydoom. Similarly programmed Deadhat-A, or Vesser-A, appeared over the weekend but never gained much traction.
Also, it appears that spammers are using the open port to create systems for sending out e-mails, said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc.
How wide Doomjuice will spread depends on how many systems are still infected with Mydoom-A. Dunham has heard estimates that range from 500,000 to 1 million.
There are things people can do to prevent infection by Doomjuice. The first is to make sure systems don't contain Mydoom-A -- one way to do so is to run a virus scan after downloading the latest signature update. Also, it's a good idea to make sure port 3127 isn't open.
But, because Doomjuice is a network worm, there really isn't much else companies can do to prevent it. No user interaction is needed for the worm to infect a system. If port 3127 is open, the worm sends itself. The worm also drops a copy of the source code for Mydoom-A as a bzip2 compressed TAR archive, according to Helsinki, Finland-based antivirus software vendor F-Secure Corp.
For this reason, experts think the creator of Mydoom-A is behind Doomjuice. Some think the author could have included the Mydoom-A code in Doomjuice to cover his legal tracks in case he's ever caught. But others worry that, if Doomjuice is successful, the code for Mydoom-A will be widely available, which could mean more worms based on it.
After infecting a system, Doomjuice removes Mydoom-A and –B from systems, so no other attackers can exploit machines through port 3127. It then starts a distributed denial-of-service attack on www.microsoft.com. Interestingly, the DDoS attack is slated to start slowly. Then, on Feb. 12, the worm begins to bombard Microsoft constantly.
Feb. 12 is the date when Mydoom-A stops its DDoS attack on the SCO Group's Web site. There is no kill date for Doomjuice.
"It's a way for the writer to redeem himself," Dunham said, noting that Mydoom-B, which targeted Microsoft's site, never took off.
|
|
|
|
