Every day in the security world brings something unexpected, and the appearance Wednesday of Doomjuice.B certainly fits that bill. The worm is a variant of Doomjuice.A, which first appeared Monday and is a variant of MyDoom.A. Experts said the new worm one of the few known cases of a variant threat spawning a variant.
Like Doomjuice.B attacks machines that already have been infected by either MyDoom.A or MyDoom.B. The worm looks for Windows machines listening on TCP Port 3127, which is used by the backdoor installed by MyDoom.A. Once it finds such a machine, Doomjuice.B loads a copy of itself on the new machine in a file named “regedit.exe” and also copies itself into the Windows registry.
Doomjuice.B also contains the familiar code that instructs infected machines to launch a distributed denial-of-service attack on Microsoft Corp.s main Web site. Analysts who have looked at the code said that the new variant eliminates some of the coding errors that prevented previous DDoS attempts from really materializing.
The code dictates that machines will start attacks against the Microsoft site if the month is not January and the date is not between the eighth and the twelfth. This logic suggests that the attack should begin Friday, according to an analysis by Computer Associates International Inc., based in Islandia, N.Y.
There are also signs that attackers are hijacking PCs infected with one of the MyDoom worms and using them for other attacks, according to Ken Dunham, director of malicious code at iDefense Inc., based in Reston, Va. The machines also are being used to relay spam, Dunham said.
In addition to Doomjuice.B, antivirus researchers have identified a fourth variant of MyDoom, known as MyDoom.D. The worm appears to be a close relative of the first MyDoom.