New Computer Virus
10 February 2004, 03:34 PM
#1
Scooby Regular
Thread Starter
Join Date: Jun 2001
Posts: 17,199
Likes: 0
Received 0 Likes
on
0 Posts
New Computer Virus
Started in here as more people read this forum than Computer Related...
Madrid, February 9, 2004
While the infections caused by Mydoom.A are just starting to cool off, a new worm has appeared that exploits the damage caused by this worm: Doomjuice.A. Evidence suggests that the Mydoom attack is not going to end on February 12, the date on which it seemed that the worm would stop spreading. It is supposed that the same author has launched this new malicious code that cannot even be detected in e-mail, as it exploits the ports opened by Mydoom.A and Mydoom.B. This new virus behaves in a similar way to SQLSlammer, i.e., it is a network worm that exploits an open port in the same way as SQLSlammer exploited a server vulnerability.
The actions carried out by Doomjuice.A on the computers it infects
include the following:
- In order to ensure that it is run, it creates the following entry in the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"Gremlin" intrenat.exe
- It generates a copy of itself in %system% called intrenat.exe (36,864 bytes).
- It creates a file called sync-src-1.00.tbz (28,569) in %Windows%, in %Temp%, in %System% and in the C: drive. This file is compressed and contains the source code of Mydoom.A.
- It launches a Denial of Service (DoS) attack against www.microsoft.com.
Evidence suggests that Doomjuice.A was created by the same author as Mydoom.A. Panda Software's experts are currently studying this malicious code.
Madrid, February 9, 2004
While the infections caused by Mydoom.A are just starting to cool off, a new worm has appeared that exploits the damage caused by this worm: Doomjuice.A. Evidence suggests that the Mydoom attack is not going to end on February 12, the date on which it seemed that the worm would stop spreading. It is supposed that the same author has launched this new malicious code that cannot even be detected in e-mail, as it exploits the ports opened by Mydoom.A and Mydoom.B. This new virus behaves in a similar way to SQLSlammer, i.e., it is a network worm that exploits an open port in the same way as SQLSlammer exploited a server vulnerability.
The actions carried out by Doomjuice.A on the computers it infects
include the following:
- In order to ensure that it is run, it creates the following entry in the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"Gremlin" intrenat.exe
- It generates a copy of itself in %system% called intrenat.exe (36,864 bytes).
- It creates a file called sync-src-1.00.tbz (28,569) in %Windows%, in %Temp%, in %System% and in the C: drive. This file is compressed and contains the source code of Mydoom.A.
- It launches a Denial of Service (DoS) attack against www.microsoft.com.
Evidence suggests that Doomjuice.A was created by the same author as Mydoom.A. Panda Software's experts are currently studying this malicious code.
Thread
Thread Starter
Forum
Replies
Last Post