New Doomjuice Variants Prepping Attacks

 
 
By Dennis Fisher  |  Posted 2004-02-11 Print this article Print
 
 
 
 
 
 
 

Doomjuice.B and.C surfaced on Wednesday and are preparing for a denial-of-service attack on Friday, security experts advised

Every day in the security world brings something unexpected, and the appearance Wednesday of Doomjuice.B certainly fits that bill. The worm is a variant of Doomjuice.A, which first appeared Monday and is a variant of MyDoom.A. Experts said the new worm one of the few known cases of a variant threat spawning a variant. Like Doomjuice.B attacks machines that already have been infected by either MyDoom.A or MyDoom.B. The worm looks for Windows machines listening on TCP Port 3127, which is used by the backdoor installed by MyDoom.A. Once it finds such a machine, Doomjuice.B loads a copy of itself on the new machine in a file named "regedit.exe" and also copies itself into the Windows registry. Doomjuice.B also contains the familiar code that instructs infected machines to launch a distributed denial-of-service attack on Microsoft Corp.s main Web site. Analysts who have looked at the code said that the new variant eliminates some of the coding errors that prevented previous DDoS attempts from really materializing.
How did MyDoom.A gain such a foothold in the enterprise? Read more here about the failures of antivirus education and the slow response of security vendors.
The code dictates that machines will start attacks against the Microsoft site if the month is not January and the date is not between the eighth and the twelfth. This logic suggests that the attack should begin Friday, according to an analysis by Computer Associates International Inc., based in Islandia, N.Y. There are also signs that attackers are hijacking PCs infected with one of the MyDoom worms and using them for other attacks, according to Ken Dunham, director of malicious code at iDefense Inc., based in Reston, Va. The machines also are being used to relay spam, Dunham said. In addition to Doomjuice.B, antivirus researchers have identified a fourth variant of MyDoom, known as MyDoom.D. The worm appears to be a close relative of the first MyDoom. Check out eWEEK.coms Security Center at security.eweek.com for security news, views and analysis.
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel