Doomjuice Saga Continues – Version B Enforces the Attack on Microsoft

Kaspersky Labs has detected a second version of the Internet worm Doomjuice – Doomjuice.b. It propagates using the same methods as the original version . Both worms scan the Internet for computers infected either by Mydoom.a or Mydoom.b. Doomjuice uses port 3127, breached earlier by Mydoom, to install copies of itself which the Trojan component of Mydoom then launches.

However, Doomjuice.b differs from the previous version. Doomjuice.b has been created solely to conduct a DoS attack on the Microsoft site. The worm first copies itself into the Windows directory under the name regedit.exe and then registers this file in the system registry auto-run key. Once installation is complete Doomjuice checks the system date. The DoS attack will be launched in any month of any year except January, excluding dates between the 8th and 12th of the month. If the system date meets these requirements, Doomjuice sends multiple GET requests to port 80 on www.microsoft.com.

The author of Doomjuice.b uses a server request technique unique for such virus type: the worm’s request mimics the Internet Explorer request text. As a result, requests from infected computers may not be blocked, as this technique makes it impossible to distinguish between valid requests and ones generated by Doomjuice.b. This feature potentially increases the destructive capabilities of the worm. If Doomjuice.b becomes wide-spread, Microsoft may need to implement some of the security measures intended for such eventualities.