Virus Database

Worm.Win32.Doomjuice.b

Description Worm.Win32.Doomjuice.b
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate.
Installation
On launching, the worm copies itself to the Windows system directory under the name regedit.exe and registers this file in the system registry auto-run key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
NeroCheck = %system% egedit.exe
The worm creates the unique identifier _sncZZmtx_133 to show its presence in memory.
Propagation
To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
To determine which IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3
4
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
28
29
30
32
33
34
35
38
40
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
61
62
63
64
65
66
67
68
80
81
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

The second (B) and third (C) values are randomly generated by the worm. The final value (D) will be a number between 0 and 254, with values being selected in sequence.
DoS attack
The worm checks the system date, and if the current date is between the 8th and the 12th of the month, the DoS attack function will not be launched. The worm will not launch any DoS attack in January. However, in all other months and on all other dates the worm will launch a DoS attack on the www.microsoft.com site. To carry out the DoS attack, the worm sends multiple GET commands with the following parameters:
GET / HTTP/1.1
Accept: */*

Accept-Language: en-us or Accept-Language: en

Accept-Encoding: gzip, deflate or blank

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) or
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) or
User-Agent: Mozilla/4.0

Host: www.microsoft.com:80

Check other viruses! Be aware! Use Antiviral Software

Edwin

Description Edwin

It is a dangerous memory resident boot virus. It hooks INT 13h and writes itself to boot sectors of the floppy and the C: drives. After infecting 63 disks the virus halts the system. The virus contains the ID-word:
JB

EE

Description EE

It's a not dangerous memory resident virus. On loading from infected floppy it infects MBR of hard drive, then it hooks INT 1Ch, waits for DOS loading, then hooks INT 21h and infects floppies on DOS functions SELECT DISK and KEYBOARD INPUT calls (INT 21h, ah=0Eh,0Ah). Depending on current time it displays the 'î' character (ASCII EEh).

Home