Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Doomjuice.A

Win32/Doomjuice.A worm is arriving in a file 36 kB in size, compressed by the UPX utility. When decompressed, its size changes to 42 kB.

Note: In what follows the %windir% string is used instead of the actual name of the Windows installation directory. The latter may differ on a case by case basis. The subdirectory System or System32 placed in %windir% has a name %system%.

Upon its activation it creates a Mutex object with name sync- Z-mtx_133. If the worm finds another copy of itself on the infected computer it quits its action. The worm copies itself into the %windir% directory as intrenat.exe file. If unable to copy itself into the %windir% directory it creates its copy in the %temp% directory.

The worm changes the following system Registries:

HKLM/Software/Microsoft/CurrentVersion/Run or HKCU/Software/Microsoft/CurrentVersion/Run

It creates a new key named Gremlin .

The worm spreads solely via a Backdoor installed by the MyDoom.A worm. It uses random IP address generator to find possible victims and tries to connect to the port number 3127. If the attached computer is infected by the MyDoom.A worm the Win32/Doomjuice.A copies itself into the computer. It does not affect the activity of the MyDoom.A worm on the infected computer.

The worm contains a compressed source code of the MyDoom.A worm and copies it into all root directories of all local disks and connected network drives it finds in a file named sync-src-1.00.tbz. It also copies this file into the following directories: %sysdir%, %temp% and the home directory of the currently logged user (User Profile Directory). The copied file size is 28659 B.

The worm launches a DoS attack on the www.microsoft.com site after February 8 th 2004 .

To remove the worm it is necessary to remove the Gremlin key in the system Registry which activates the worm after each computer restart. In addition the intrenat.exe file needs to be deleted/removed from the %windir% directory.

The detection of Win32/Doomjuice.A using the signature is added as of version 1.619 .

It is vital to use an updated version of NOD32. To do so, click "Update Now" in the NOD32 Control Center.