Breaking Virus News
On February 9th, several antivirus vendors reported the appearance of DoomJuice.A, also known as W32.HLLW.DoomJuice.A, WORM_DoomJuice.A, and Win32/DoomJuice-A. Apparently the work of the author of MyDoom.A, DoomJuice.A spreads by exploiting the backdoor on MyDoom.A infected machines. Once installed on the victims machine, it launches a DoS attack on www.microsoft.com. The worm propagates by randomly generating IP addresses and contacting computers at those addresses through Port 3127, which was opened by MyDoom.A. When it infects, makes a copy of itself in the Windows System folder (%system%) called “intrenat.exe”. DoomJuice.A also creates a Registry key value:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunGremlin = %system%intrenat.exe
so it is run when the computer is booted. At press time, there are few report of the virus in the wild, and Microsoft.com appears not to have been affected. Since it does not propagate by mail, it is only a threat to computers that are currently infected by MyDoom.A.
A Front Row Seat to a Major Attack