Content

W32/Doomjuice.worm.b

Type
Virus
SubType
Internet Worm
Discovery Date
02/10/2004
Length
5,120 bytes
Minimum DAT
4323 (02/11/2004)
Updated DAT
4371 (06/30/2004)
Minimum Engine
5.1.00
Description Added
02/11/2004
Description Modified
02/12/2004 8:53 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update 12th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.ecommercetimes.com/perl/story/32842.html

Propagation
 This worm attempts to spread to W32/Mydoom.a@MM and W32/Mydoom.b@MM infected systems, by entering in through the backdoor created by the Mydoom virus.  It does not spread via email.  Systems already infected with Mydoom are at risk.

When run, the virus copies itself to the WINDOWS SYSTEM directory as REGEDIT.EXE and creates a registry run key to load itself at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "NeroCheck" = C:\WINNT\System32\regedit.exe

The worm scans all local networks and random class C networks (scanning all ips from .0 to .255) generated from an hardcoded list of class A networks followed by 2 randomly generated octect, attempting to connect to TCP port 3127 and instructing systems to run the virus.

Denial of Service Payload
 The virus contains a payload to attack www.microsoft.com by sending a large number of HTTP GET requests to responding servers. 

Symptoms

Presence of the above mentioned file and registry key. Unusual network traffic.

Method of Infection

This virus spreads by exploiting already compromised systems.  Systems infected with W32/Mydoom.a@MM  or W32/Mydoom.b@MM are vulnerable to W32/Doomjuice.worm.b.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update 12th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.ecommercetimes.com/perl/story/32842.html

Propagation
 This worm attempts to spread to W32/Mydoom.a@MM and W32/Mydoom.b@MM infected systems, by entering in through the backdoor created by the Mydoom virus.  It does not spread via email.  Systems already infected with Mydoom are at risk.

When run, the virus copies itself to the WINDOWS SYSTEM directory as REGEDIT.EXE and creates a registry run key to load itself at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "NeroCheck" = C:\WINNT\System32\regedit.exe

The worm scans all local networks and random class C networks (scanning all ips from .0 to .255) generated from an hardcoded list of class A networks followed by 2 randomly generated octect, attempting to connect to TCP port 3127 and instructing systems to run the virus.

Denial of Service Payload
 The virus contains a payload to attack www.microsoft.com by sending a large number of HTTP GET requests to responding servers. 

Symptoms

Symptoms -

Presence of the above mentioned file and registry key. Unusual network traffic.

Method of Infection

Method of Infection -

This virus spreads by exploiting already compromised systems.  Systems infected with W32/Mydoom.a@MM  or W32/Mydoom.b@MM are vulnerable to W32/Doomjuice.worm.b.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A