Panda Software Reports the Appearance of Doomjuice.A

– It seems to have been created by the same author as the Mydoom family
– It is designed to spread like a network worm, which makes it extremely dangerous, as it cannot be detected or viewed by the user via e-mail, like other viruses can

While the infections caused by Mydoom.A are just starting to cool off, a new worm has appeared that exploits the damage caused by this worm: Doomjuice.A. Evidence suggests that the Mydoom attack is not going to end on February 12, the date on which it seemed that the worm would stop spreading. It is supposed that the same author has launched this new malicious code that cannot even be detected in e-mail, as it exploits the ports opened by Mydoom.A and Mydoom.B. This new virus behaves in a similar way to SQLSlammer, i.e., it is a network worm that exploits an open port in the same way as SQLSlammer exploited a server vulnerability.

The actions carried out by Doomjuice.A on the computers it infects include the following:

– In order to ensure that it is run, it creates the following entry in the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run “Gremlin” intrenat.exe

– It generates a copy of itself in %system% called intrenat.exe (36,864 bytes).

– It creates a file called sync-src-1.00.tbz (28,569) in %Windows%, in %Temp%, in %System% and in the C: drive. This file is compressed and contains the source code of Mydoom.A.

– It launches a Denial of Service (DoS) attack against www.microsoft.com.

Evidence suggests that Doomjuice.A was created by the same author as Mydoom.A. Panda Software’s experts are currently studying this malicious code.

More information about Doomjuice.A , Mydoom.A.worm, Mydoom.B.worm and other malicious code from Panda Software’s Virus Encyclopedia.