Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Doomjuice.B

The Win32/Doomjuice.B worm is a modification of its A variant. It arrives compressed via UPX utility in a file 5120 B in size. After decompression its size increases to 6656 B. Unlike the Doomjuice.A worm the Doomjuice.B worm does not carry the source code of the MyDoom.A worm.

Note: In the following text a symbolic string %windir% is used instead of the real name of the Windows installation directory. The latter may differ on a case by case basis. The subdirectory System or System32 placed in %windir% has a name %system%.

The Doomjuice.B worm creates a Mutex consisting of the name of the infected computer and the string " -sncZZmtx_133 ". The worm copies itself into the %system% or %temp% directories using the name regedit.exe .

In one of the following keys:

HKLM/Software/Microsoft/CurrentVersion/Run, or HKCU/Software/Microsoft/CurrentVersion/Run

the worm creates an entry named NeroCheck .

The worm's spreading algorithm mimics that of its predecessor Doomjuice.A. It takes advantage of the backdoor created by the MyDoom.A worm. Its random IP address generator attempts to find possible victims and tries to connect to the port number 3127.

The worm uses a modified trigger to launch a DoS attack on the www.microsoft.com site. The attack is launched outside January and between 8 th and 12 th each month.

The detection of Win32/Doomjuice.B via its signature is added as of version 1.621.

Make sure your NOD32 antivirus is up to date. To that end, click "Update Now" in the NOD32 Control Center while your computer is connected to internet.