New Doomjuice Variants Prepping Attacks
Doomjuice.B and.C surfaced on Wednesday and are preparing for a denial-of-service attack on Friday, security experts advisedEvery day in the security world brings something unexpected, and the appearance Wednesday of Doomjuice.B certainly fits that bill. The worm is a variant of Doomjuice.A, which first appeared Monday and is a variant of MyDoom.A. Experts said the new worm one of the few known cases of a variant threat spawning a variant. Like Doomjuice.B attacks machines that already have been infected by either MyDoom.A or MyDoom.B. The worm looks for Windows machines listening on TCP Port 3127, which is used by the backdoor installed by MyDoom.A. Once it finds such a machine, Doomjuice.B loads a copy of itself on the new machine in a file named "regedit.exe" and also copies itself into the Windows registry. Doomjuice.B also contains the familiar code that instructs infected machines to launch a distributed denial-of-service attack on Microsoft Corp.s main Web site. Analysts who have looked at the code said that the new variant eliminates some of the coding errors that prevented previous DDoS attempts from really materializing.
How did MyDoom.A gain such a foothold in the enterprise? Read more here about the failures of antivirus education and the slow response of security vendors.