A Front Row Seat to a Major Attack

By Jay Munro  |  Posted 2004-02-10 Print this article Print

MessageLabs not only saw one of the first instances of MyDoom, but has the incredible visual to prove it. Plus:
Latest Word on New DoomJuice Virus Breaking Virus News

On February 9th, several antivirus vendors reported the appearance of DoomJuice.A, also known as W32.HLLW.DoomJuice.A, WORM_DoomJuice.A, and Win32/DoomJuice-A. Apparently the work of the author of MyDoom.A, DoomJuice.A spreads by exploiting the backdoor on MyDoom.A infected machines. Once installed on the victims machine, it launches a DoS attack on www.microsoft.com. The worm propagates by randomly generating IP addresses and contacting computers at those addresses through Port 3127, which was opened by MyDoom.A. When it infects, makes a copy of itself in the Windows System folder (%system%) called "intrenat.exe". DoomJuice.A also creates a Registry key value:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin = %system%\intrenat.exe

so it is run when the computer is booted. At press time, there are few report of the virus in the wild, and Microsoft.com appears not to have been affected. Since it does not propagate by mail, it is only a threat to computers that are currently infected by MyDoom.A.

A Front Row Seat to a Major Attack

Click here for the complete story...


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel