My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Doomjuice.B

LOW
MEDIUM
5120 bytes (packed)

Symptoms


- Presence of the next files in %SYSTEM% folder:

regedit.exe (5120 bytes)

- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\"NeroCheck"="%SYSTEM%\regedit.exe"]

where %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:




Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:


Once run, the virus does the following:

1. Creates a mutex COMP_NAME-sncZZmtx_133

where COMP_NAME is the victim's computer name

2. Deletes %SYSTEM%\regedit.exe and creates a copy of the virus as %SYSTEM%\regedit.exe

Note: Window's Registry editor regedit.exe resides in Windows (WinNT) folder.

3. Creates the registry key mentioned in Symptoms

4. Sees if the computer is connected to internet, if not, it waits for the computer to connect.

5. Starts a new thread that attempts to attack www.microsoft.com if the day is greater than 12, except January.

6. It spreads using the backdoor installed on port 3127 by the first Mydoom variant.