New worm exploits vulnerabilities of computers infected by W32/Mydoom.A@mm
A new worm emerged on 9 February 2004 that targets Windows machines infected with the recent W32/Mydoom.A@mm worm and taking advantage of vulnerabilities caused by this previous infection. This new worm has been named W32/Doomjuice.A by FRISK Software's virus analysts.
As this worm only targets computers that have been infected by Mydoom.A and significant precautions have been made against such infections by most larger networks, then Doomjuice.A is not considered to be a high level threat.
Doomjuice.A does not infect via e-mail but scans random Internet addresses for computers that have had backdoors installed by Mydoom.A. It searches for computers on which TCP port 3127 is open and sends itself to these computers, copying itself to the Windows directory as intrenat.exe.
The connection between Doomjuice.A and the Mydoom.A attacks in recent weeks is, however, not limited to the exploitation of these vulnerabilities. Doomjuice.A contains the source code for Mydoom.A and drops it on the hard drives of infected computers. It has been speculated that the inclusion of this payload in Doomjuice.A is an attempt by the writers to spread the evidence, so to speak, since the posession of the original source code of Mydoom.A now less convincing evidence of responsibility for the recent Mydoom attacks than otherwise.
Doomjuice.A is programmed to execute a DDoS attack against Microsoft's web site (www.microsoft.com) with infected computers repeatedly requesting the site's front page with the intention of overloading it and rendering it inoperable. The worm was programmed to start these attacks after 8 February and continue indefinitely, as Doomjuice.A does not have a pre-programmed expiration date.
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
The latest versions of F-Prot Antivirus detect W32/Doomjuice.A using virus signature files dated 9 February 2004 or later.