Authors of Mydoom Worm Launched Yet Another Attack

A new network worm known as Doomjuice has been found. This worm is closely associated with the previous Mydoom worms. It infects Windows machines which are already infected by Mydoom.A. On such machines the worm will infect the computer totally automatically – the owner of the computer can be sleeping and still get Doomjuice to his computer. Doomjuice does not spread over email at all.

Doomjuice has launched a world-wide denial-of-service attack against www.microsoft.com – one of the largest websites in the world. Currently www.microsoft.com seems to be operational, but a disruption in service has been noted earlier during Monday the 9th of February.

Doomjuice spreads between computers that are already infected with the Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate machines with the backdoor open, Doomjuice scans random internet addresses. When it finds a machine that is infected by Mydoom.A, it sends itself over infecting it with Doomjuice too.

Doomjuice drops the original source code of the Mydoom.A worm in an archive to several folders of infected computers. “This proves to us that Doomjuice and Mydoom.A are written by the same people”, comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure. “The source code of Mydoom.A has not been seen circulating in the underground before.”

The motivation to distribute source seems to be simple. “The authors know the police is looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive – without knowing it”, says Hypponen.

The worm has been programmed to start a distributed denial-of-service attack against www.microsoft.com after the 8th of February, which is when the worm was probably distributed. The attacks will continue forever and will try to overload the website by repeatedly reloading the front page.

Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/doomjuice.shtml

F-Secure monitors the ongoing attacks against www.sco.com and www.microsoft.com by the Mydoom-related viruses in our Weblog: http://www.f-secure.com/weblog/