Details
Worm.Win32.Doomjuice.b
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate.
Installation
On launching, the worm copies itself to the Windows system directory under the name regedit.exe and registers this file in the system registry auto-run key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroCheck = %system%\regedit.exe
The worm creates the unique identifier _sncZZmtx_133 to show its presence in memory.
Propagation
To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
To determine which IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3
4
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
28
29
30
32
33
34
35
38
40
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
61
62
63
64
65
66
67
68
80
81
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
The second (B) and third (C) values are randomly generated by the worm. The final value (D) will be a number between 0 and 254, with values being selected in sequence.
DoS attack
The worm checks the system date, and if the current date is between the 8th and the 12th of the month, the DoS attack function will not be launched. The worm will not launch any DoS attack in January. However, in all other months and on all other dates the worm will launch a DoS attack on the www.microsoft.com site. To carry out the DoS attack, the worm sends multiple GET commands with the following parameters:
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us or Accept-Language: en
Accept-Encoding: gzip, deflate or blank
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) or
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) or
User-Agent: Mozilla/4.0
Host: www.microsoft.com:80
Related Posts
Worm.Win32.DoomjuiceIM-Worm.Win32.Bropia.aEmail-Worm.Win32.Bagle.cWorm.Win32.VB.aEmail-Worm.Win32.Sober
This entry was posted
on Monday, August 25th, 2008 at 7:50 pm and is filed under Virus Threats.
Details
Worm.Win32.Doomjuice.a
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate. It is approximately 35KB in size, compressed using UPX. The size of the decompressed file is approximately 43 KB.
Installation
On launching, the worm copies itself to the Windows system directory under the name intrenat.exe and registers this file in the system registry auto-run key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Gremlin” = “%system%\intrenat.exe”
The worm extracts a file named sync-src-1.00.tbz from itself, and copies this file to the root directory, the Windows directory, the Windows system directory and to user directories in Documents and Settings.
This file is a tar archive which contains the full source text of I-Worm.Mydoom.a
The worm creates the unique identifier sync-Z-mtx_133 to show its presence in memory.
Propagation
To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
In order to choose IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3
4
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
28
29
30
32
33
34
35
38
40
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
61
62
63
64
65
66
67
68
80
81
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
The second (B) and third (C) values are randomly generated by the worm. The final value (D) will be a number between 0 and 254, with values being selected in sequence.
DoS attack
The worm determines the system date, and if the date is between the 1st and the 11th of the month, the worm carries out a modified DoS attack on the site www.microsoft.com. One GET command will be sent to port 80, and then repeated at random intervals. If the date is the 12th of the month or later, the commands will be sent without a break.
Related Posts
Worm.Win32.DoomjuiceIM-Worm.Win32.Bropia.aEmail-Worm.Win32.Bagle.cWorm.Win32.VB.aEmail-Worm.Win32.Sober
This entry was posted
on Monday, August 25th, 2008 at 3:50 pm and is filed under Virus Threats.