BitDefender Antivirus
Contact Us | My BitDefender

Win32.Worm.Doomjuice.B

Spreading: low
Damage: medium
Size: 5120 bytes (packed)
Discovered: 2004 Feb 11

SYMPTOMS:


- Presence of the next files in %SYSTEM% folder:

regedit.exe (5120 bytes)

- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\"NeroCheck"="%SYSTEM%\regedit.exe"]

where %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

TECHNICAL DESCRIPTION:


Once run, the virus does the following:

1. Creates a mutex COMP_NAME-sncZZmtx_133

where COMP_NAME is the victim's computer name

2. Deletes %SYSTEM%\regedit.exe and creates a copy of the virus as %SYSTEM%\regedit.exe

Note: Window's Registry editor regedit.exe resides in Windows (WinNT) folder.

3. Creates the registry key mentioned in Symptoms

4. Sees if the computer is connected to internet, if not, it waits for the computer to connect.

5. Starts a new thread that attempts to attack www.microsoft.com if the day is greater than 12, except January.

6. It spreads using the backdoor installed on port 3127 by the first Mydoom variant.

Removal instructions:




ANALYZED BY:

Patrik Vicol BitDefender Virus Researcher
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Global Sites | Privacy Policy