February 9th, 2004, 09:51 PM
Doomjuice & Deadhat
A new worm has been detected which exploits the backdoor left from the Mydoom virus(es).
More information can be found here.
Connects to TCP port 3127, which is opened by the backdoor component of W32.Mydoom.A@mm, to receive commands. If the worm gets the command, it sends a copy of itself to the remote machine. The backdoor component of W32.Mydoom.A@mm will accept the file and executes it.
Launches a DoS attack against www.microsoft.com
by sending HTTP Get requests.
Here is another worm exploiting the backdoor left by Mydoom.
More info on W32.HLLW.Deadhat
Scans the network, looking for systems infected with Mydoom. This worm attempts to connect to sequential IP addresses on ports 3127, 3128, and 1080, starting with a random IP address. When a connection is established, W32.HLLW.Deadhat sends a copy of itself to the Mydoom server, in effect replacing Mydoom on the remote machine.
February 9th, 2004, 10:25 PM
From the Trojan Horse mailing list...
Confused about the name of this one... so is everyone it appears...
* TrendMicro is calling this one DeadHat.A and DoomJuice
* McAfee has created a separate DoomJuice and DeadHat listing
* Symantec also now has a separate DoomJuice and DeadHat listing
* Computer Associates also has a DoomJuice and a DeadHat listing
They (the media) now think MyDoom.C/DoomJuice and Vesser/DeadHat are the same thing but they are totally different worms that use MyDoom.A/B to spread. Vesser is NOT in the wild.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden