Doomjuice.B Variant Builds on MyDoom Mayhem

A new variant of the Doomjuice worm has been reported by antivirus research firm F-Secure. The worm, dubbed Doomjuice.B, attacks Microsoft’s Web site, much like its predecessor, Doomjuice.A.

Although it has similar characteristics to the previous worm, Doomjuice.B is smaller and does not contain any of the source code found in the related Mydoom.A, now widely considered to be the most virulent computer worm ever.

However, its small size and lack of source code do not mean the B variant is harmless. The worm is designed to improve the distributed denial-of-service attack on Microsoft and keep battering at the company’s well-protected gates.

Opportunistic Infection

Mikko Hypponen, director of antivirus research in F-Secure’s Helsinki, Finland, office, told the E-Commerce Times that Doomjuice does not spread through e-mail. Rather, it uses a backdoor left open by MyDoom.

“If someone has MyDoom on their computer,” he said, “it’s likely that they’ll also have Doomjuice as well.”

He added that the similarity of the two worms suggests they were written by the same people.

The first version of Doomjuice and another worm called Deadhat both began spreading February 9th. They have had limited impact because most companies have cleaned systems that were infected with MyDoom.

Network Associates has estimated only about 50,000 to 75,000 machines arestill infected, so any Doomjuice attack would be on a much smaller scale than the MyDoom debacle.

Only the Beginning

Doomjuice and Deadhat are the first reported opportunistic worms, but they will not be the last.

Already, F-Secure has uncovered a variant of a Trojan, Mitglieder.H, that exploits the MyDoom backdoor. Mitglieder.H contains several HTTP links that it can use to download and execute programs. Right now, the links lead to Web pages that are inaccessible, so the worm will not download anything.

An anti-MyDoom variant also has cropped up in Japan. A variant of the Welchi worm, it copies itself onto infected systems and tries to remove MyDoom while also attempting to download security patches.

In its report on Mitglieder.H, F-Secure noted, “It seems to be the morning of MyDoom-exploiting worms.”

Tougher Worm

The way Doomjuice.B works is slightly different and therefore more dangerous than its A-variant predecessor. Hypponen said both variants copy themselves into the Windows System Directory and attack the Microsoft site via the HTTP protocol.

However, the B worm has a twist that makes it more effective.

“It improves the attack because it sets random HTTP headers,” Hypponen said. “The A variant didn’t do this. Randomizing the headers makes it harder to filter the traffic and avoid the attack that way.”

The appearance of Doomjuice.B also coincides with a change to its predecessor. The A variant’s attack against Microsoft was designed to sleep for a random interval before launching an attack. If an infected machine is rebooted on February 12th or later, an attack is immediate.

Boon for Security?

William Stearns, an instructor of perimeter security courses at The SANS Institute, told the E-Commerce Times that the presence of so many worms and their variants may pose a threat to Microsoft and other other targets, but could be a good thing for companies that provide security audits.

“People are starting to think about how strong they’d be if they were attacked,” he said. Because of this, there may be an increase in business for assessment software, security consulting and employee education efforts.

“Everything that’s going on makes you think about your vulnerabilities,” Stearns said, “and I think we’re going to see companies more focused on how to defend themselves.”