H
Heather
Just got this.......but it only infects those computers ALREADY infected
with MyDoom.A.
Cheers....Hether
PRESS RELEASE
For release February 9,2004
Authors of Mydoom worm launched yet another attack
New worm tries to lose the evidence
A new network worm known as Doomjuice has been found. This worm is
closely associated with the previous Mydoom worms. It infects Windows
machines which are already infected by Mydoom.A. On such machines the
worm will infect the computer totally automatically - the owner of the
computer can be sleeping and still get Doomjuice to his computer.
Doomjuice does not spread over email at all.
Doomjuice has launched a world-wide denial-of-service attack against
www.microsoft.com - one of the largest websites in the world. Currently
www.microsoft.com seems to be operational, but a disruption in service
has been noted earlier during Monday the 9th of February.
Doomjuice spreads between computers that are already infected with the
Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate
machines with the backdoor open, Doomjuice scans random internet
addresses. When it finds a machine that is infected by Mydoom.A, it
sends itself over infecting it with Doomjuice too.
Doomjuice drops the original source code of the Mydoom.A worm in an
archive to several folders of infected computers. "This proves to us
that Doomjuice and Mydoom.A are written by the same people", comments
Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "The source
code of Mydoom.A has not been seen circulating in the underground
before."
The motivation to distribute source seems to be simple. "The authors
know the police is looking for them. And the best evidence against them
would be the possession of the original source code of the virus. Before
the Doomjuice incident, only the authors of Mydoom.A had the original
source code. Now probably tens of thousands of people have it on their
hard drive - without knowing it", says Hypponen.
The worm has been programmed to start a distributed denial-of-service
attack against www.microsoft.com after the 8th of February, which is
when the worm was probably distributed. The attacks will continue
forever and will try to overload the website by repeatedly reloading the
front page.
Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/doomjuice.shtml
F-Secure monitors the ongoing attacks against www.sco.com and
www.microsoft.com by the Mydoom-related viruses in our Weblog:
http://www.f-secure.com/weblog/
F-Secure Anti-Virus can detect and stop the Doomjuice and Mydoom worms.
F-Secure Anti-Virus can be downloaded from http://www.f-secure.com
with MyDoom.A.
Cheers....Hether
PRESS RELEASE
For release February 9,2004
Authors of Mydoom worm launched yet another attack
New worm tries to lose the evidence
A new network worm known as Doomjuice has been found. This worm is
closely associated with the previous Mydoom worms. It infects Windows
machines which are already infected by Mydoom.A. On such machines the
worm will infect the computer totally automatically - the owner of the
computer can be sleeping and still get Doomjuice to his computer.
Doomjuice does not spread over email at all.
Doomjuice has launched a world-wide denial-of-service attack against
www.microsoft.com - one of the largest websites in the world. Currently
www.microsoft.com seems to be operational, but a disruption in service
has been noted earlier during Monday the 9th of February.
Doomjuice spreads between computers that are already infected with the
Mydoom.A worm. It uses the backdoor installed by Mydoom.A. To locate
machines with the backdoor open, Doomjuice scans random internet
addresses. When it finds a machine that is infected by Mydoom.A, it
sends itself over infecting it with Doomjuice too.
Doomjuice drops the original source code of the Mydoom.A worm in an
archive to several folders of infected computers. "This proves to us
that Doomjuice and Mydoom.A are written by the same people", comments
Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "The source
code of Mydoom.A has not been seen circulating in the underground
before."
The motivation to distribute source seems to be simple. "The authors
know the police is looking for them. And the best evidence against them
would be the possession of the original source code of the virus. Before
the Doomjuice incident, only the authors of Mydoom.A had the original
source code. Now probably tens of thousands of people have it on their
hard drive - without knowing it", says Hypponen.
The worm has been programmed to start a distributed denial-of-service
attack against www.microsoft.com after the 8th of February, which is
when the worm was probably distributed. The attacks will continue
forever and will try to overload the website by repeatedly reloading the
front page.
Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/doomjuice.shtml
F-Secure monitors the ongoing attacks against www.sco.com and
www.microsoft.com by the Mydoom-related viruses in our Weblog:
http://www.f-secure.com/weblog/
F-Secure Anti-Virus can detect and stop the Doomjuice and Mydoom worms.
F-Secure Anti-Virus can be downloaded from http://www.f-secure.com