|
Evo par informacija o pomenutom juice'u ..
Kaspersky Labs has detected Doomjuice, a potentially dangerous new Internet worm. Doomjuice was first detected on 9th February; it has already infected more than 100,000 computers across the world and is continuing to spread rapidly. According to Kaspersky Labs analysts, Doomjuice was written by the same person as Mydoom, possibly the most destructive virus ever, to cover the virus writer's tracks. Furthermore, this new Internet worm uses computers infected by Mydoom.a to organize an DDoS attack on the Microsoft website.
The progagation method used by Doomjuice explains the rapid spread of the worm. It uses computers already infected by Mydoom.a and Mydoom.b to spread via the Internet. The worm penetrates computers via TCP port 3127, opened by the Trojan component of Mydoom in order to receive remote commands. If the infected computer answers the request sent by the worm, Doomjuice connects and sends a copy of itself to the victim machine. The Trojan installed by Mydoom then executes the file.
Once launched, the worm copies itself to the Windows system directory under the name Intrenat.exe and registers this file in the system registry auto-run key. This ensures that the malicious program is launched every time the computer is restarted. Doomjuice then executes its prime function: it extracts a file named 'sync-src-1.00.tbz' and copies this file to the root directory, the Windows directory, the Windows system directory and to user directories in Documents and Settings. This file is a TAR archive which contains the complete source code of Mydoom.a. The goal seems to be to spread Mydoom even further, thus making it increasingly difficult to identify the original author.
Doomjuice is also programmed to carry out a DoS attack on the Microsoft site. Prior to 12th February, this will be a modified attack; the worm sends a single GET request to port 80, and repeats this at random intervals. However, after 12th February, the worm will launch a full-scale attack on the site. Given the number of computers originally infected by Mydoom, if Doomjuice continues to spread successfully, it could present a potential threat to Microsoft.
"The author of Doomjuice is not only making it difficult to trace the creator of Mydoom, but also making the source code of Mydoom.a available for everyone whose machine is infected by Doomjuice. Anyone with basic programming skills can use the Mydoom.a source code to created a clone," comments Eugene Kaspersky, Kaspersky Labs' Head of Anti-virus Research, "In fact, I think that we may be seeing a large number of Mydoom clones in the wild very soon".
Evo i nastavka priče .. nekoliko dana potom ..
Kaspersky Labs, a leading information security software developer, has detected a second version of the Internet worm Doomjuice - Doomjuice.b. It propagates using the same methods as the original Doomjuice: both worms scan the Internet for computers infected either by Mydoom.a or Mydoom.b. Doomjuice uses port 3127, breached earlier by Mydoom, to install copies of itself, which the Trojan component of Mydoom then launches.
However, Doomjuice.b differs from the previous version in that Doomjuice.b has been created solely to conduct a DoS attack on the Microsoft site. The worm first copies itself into the Windows directory under the name regedit.exe and then registers this file in the system registry auto-run key. Once installation is complete Doomjuice checks the system date. The DoS attack will be launched in any month of any year except January, excluding dates between the 8th and 12th of the month. If the system date meets these requirements, Doomjuice sends multiple get requests to port 80 on www.microsoft.com.
The author of Doomjuice.b uses a server request technique previously unknown for Internet worms: the worm's request mimics the Internet Explorer request text. As a result, requests from infected computers may not be blocked, as this technique makes it more difficult to distinguish between valid requests and ones generated by Doomjuice.b. This feature potentially increases the destructive capabilities of the worm. If Doomjuice.b becomes wide-spread, Microsoft may need to implement some of the security measures intended for such eventualities.
|
