Home | Advertising | Keywords | Work at home | Contact us
Doomjuice saga continues - Version b
enforces the attack on Microsoft
Kaspersky Labs, a leading information
security software developer, has
detected a second version of the Internet worm Doomjuice - Doomjuice.b.
It propagates using the same methods as the original version
(http://www.viruslist.com/eng/alert.html?id=930701). Both worms scan the
Internet for computers infected either by Mydoom.a or Mydoom.b.
Doomjuice uses port 3127, breached earlier by Mydoom, to install copies
of itself which the Trojan component of Mydoom then launches.
However, Doomjuice.b differs from the
previous version. Doomjuice.b has
been created solely to conduct a DoS attack on the Microsoft site. The
worm first copies itself into the Windows directory under the name
regedit.exe and then registers this file in the system registry auto-run
key. Once installation is complete Doomjuice checks the system date.
The DoS attack will be launched in any month of any year except January,
excluding dates between the 8th and 12th of the month. If the system
date meets these requirements, Doomjuice sends multiple GET requests to
port 80 on www.microsoft.com.
The author of Doomjuice.b uses a server request technique unique for
such virus type: the worm's request mimics the Internet Explorer
request text. As a result, requests from infected computers may not be
blocked, as this technique makes it impossible to distinguish between
valid requests and ones generated by Doomjuice.b. This feature
potentially increases the destructive capabilities of the worm. If
Doomjuice.b becomes wide-spread, Microsoft may need to implement some of
the security measures intended for such eventualities.
Kaspersky Labs has already updated the
anti-virus database with
protection against Doomjuice.b. A detailed description of the worm is
available in the Kaspersky Virus Encyclopedia
Kaspersky Labs Corporate Communications
10, Geroyev Panfilovtsev St, Moscow,
Tel.: +7 095 948 56 50; Fax: +7 095 948 43 31