Virus Profile: W32/Doomjuice.worm.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/9/2004
Date Added: 2/9/2004
Origin: Unknown
Length: 36,864 bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4323
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the files sync-src-1.00.tbz and intrenat.exe

Methods of Infection

Doomjuice does not spread via email.  This virus spreads by exploiting already compromised systems.  Systems infected with W32/Mydoom.a@MM  or W32/Mydoom.b@MM are vulnerable to W32/Doomjuice.worm.a.

Aliases

Mydoom.c (Lurhq), W32.HLLW.Doomjuice (Symantec), Worm.Win32.Doomjuice (AVP), WORM_DOOMJUICE.A (Trend)
   

Virus Characteristics

-- Update 9th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at: https://www.eweek.com/article2/0,4149,1522236,00.asp

Propagation
This worm attempts to spread to W32/Mydoom.a@MM and W32/Mydoom.b@MM infected systems, by entering in through the backdoor created by the Mydoom virus.  It does not spread via email.  Systems already infected with Mydoom are at risk.

When run, the virus copies itself to the WINDOWS SYSTEM directory as INTRENAT.EXE and creates a registry run key to load itself at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Gremlin" = C:\WINNT\System32\intrenat.exe

An archived copy of the source for W32/Mydoom is dropped to the root of the system drive, the WINDOWS directory and the WINDOWS SYSTEM directory:

  • c:\sync-src-1.00.tbz
  • c:\windows\sync-src-1.00.tbz
  • c:\windows\system32\sync-src-1.00.tbz

The worm scans random IP addresses, attempting to connect to TCP port 3127 and instructing systems to run the virus.

Denial of Service Payload
The virus contains a payload to attack www.microsoft.com by sending a large number of GET requests to responding servers.  The attack starts on the 9th of February and after.  If the date time is between 1st and 11th, the worm will wait for 2-6 minutes before the attack.  If the date time is after 11th, the worm will launch the attack without the time delay.

   
All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95