Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Doomjuice.A

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Denial of service attack
Detection files published
Description created 11 Feb 2004 05:54:00
Description updated 11 Feb 2004 05:54:00
Malware type WORM
Alias W32/MyDoom.C
Spreading mechanism OTHER
Summary None

W32/Doomjuice.A

Spreading

This network worm spreads only to computers that already are infected with the MyDoom series of worms and that have the backdoor installed by MyDoom open.
When the worm is first run, it will install a mutex named "sync-Z-mtx_133" in order to avoid installing twice in memory.
It will now copy itself to the Windows System directory using the name [SYSTEM]INTRENAT.EXE.

The following registry keys are created:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\Gremlin = [SYSTEM]INTRENAT.EXE
or
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
\Gremlin = [SYSTEM]INTRENAT.EXE
Doomjuice now creates a file called sync-src-1.00.tbz on the root directory of every local and mapped network drive from C:\ to Y:\, in the Windows directory, System directory, Temp directory and in the current user’s userprofile directory. This file is a TAR-BZIP archive containing the source code of the original MyDoom.A variant.
The main spread routine consists of a separate thread that generates random IP addresses and attempts to connect to these machines on port 3127. If a MyDoom-installed backdoor exists there, the worm will be uploaded and run on these machines.

Payload Details

The worm launches a denial of service attack directed at www.microsoft.com from February 9th.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14