McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Mydoom.c (Lurhq)

• W32.HLLW.Doomjuice (Symantec)

• Worm.Win32.Doomjuice (AVP)

• WORM_DOOMJUICE.A (Trend)

Characteristics

-- Update 9th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.eweek.com/article2/0,4149,1522236,00.asp

Propagation
This worm attempts to spread to W32/Mydoom.a@MM and W32/Mydoom.b@MM infected systems, by entering in through the backdoor created by the Mydoom virus.  It does not spread via email.  Systems already infected with Mydoom are at risk.

When run, the virus copies itself to the WINDOWS SYSTEM directory as INTRENAT.EXE and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Gremlin" = C:\WINNT\System32\intrenat.exe

An archived copy of the source for W32/Mydoom is dropped to the root of the system drive, the WINDOWS directory and the WINDOWS SYSTEM directory:

• c:\sync-src-1.00.tbz
• c:\windows\sync-src-1.00.tbz
• c:\windows\system32\sync-src-1.00.tbz

The worm scans random IP addresses, attempting to connect to TCP port 3127 and instructing systems to run the virus.

Denial of Service Payload
The virus contains a payload to attack www.microsoft.com by sending a large number of GET requests to responding servers.  The attack starts on the 9th of February and after.  If the date time is between 1st and 11th, the worm will wait for 2-6 minutes before the attack.  If the date time is after 11th, the worm will launch the attack without the time delay.

Symptoms

Presence of the files sync-src-1.00.tbz and intrenat.exe

Method of Infection

Doomjuice does not spread via email.  This virus spreads by exploiting already compromised systems.  Systems infected with W32/Mydoom.a@MM  or W32/Mydoom.b@MM are vulnerable to W32/Doomjuice.worm.a.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Mydoom.c (Lurhq)

• W32.HLLW.Doomjuice (Symantec)

• Worm.Win32.Doomjuice (AVP)

• WORM_DOOMJUICE.A (Trend)

Characteristics

Characteristics -

-- Update 9th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.eweek.com/article2/0,4149,1522236,00.asp

Propagation
This worm attempts to spread to W32/Mydoom.a@MM and W32/Mydoom.b@MM infected systems, by entering in through the backdoor created by the Mydoom virus.  It does not spread via email.  Systems already infected with Mydoom are at risk.

When run, the virus copies itself to the WINDOWS SYSTEM directory as INTRENAT.EXE and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Gremlin" = C:\WINNT\System32\intrenat.exe

An archived copy of the source for W32/Mydoom is dropped to the root of the system drive, the WINDOWS directory and the WINDOWS SYSTEM directory:

• c:\sync-src-1.00.tbz
• c:\windows\sync-src-1.00.tbz
• c:\windows\system32\sync-src-1.00.tbz

The worm scans random IP addresses, attempting to connect to TCP port 3127 and instructing systems to run the virus.

Denial of Service Payload
The virus contains a payload to attack www.microsoft.com by sending a large number of GET requests to responding servers.  The attack starts on the 9th of February and after.  If the date time is between 1st and 11th, the worm will wait for 2-6 minutes before the attack.  If the date time is after 11th, the worm will launch the attack without the time delay.

Symptoms

Symptoms -

Presence of the files sync-src-1.00.tbz and intrenat.exe

Method of Infection

Method of Infection -

Doomjuice does not spread via email.  This virus spreads by exploiting already compromised systems.  Systems infected with W32/Mydoom.a@MM  or W32/Mydoom.b@MM are vulnerable to W32/Doomjuice.worm.a.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A