Doomjuice

A new worm has been detected which exploits the backdoor left from the Mydoom virus(es).

Quote:

---

Connects to TCP port 3127, which is opened by the backdoor component of W32.Mydoom.A@mm, to receive commands. If the worm gets the command, it sends a copy of itself to the remote machine. The backdoor component of W32.Mydoom.A@mm will accept the file and executes it.

Launches a DoS attack against www.microsoft.com by sending HTTP Get requests.

---

More information can be found here.

Here is another worm exploiting the backdoor left by Mydoom.

Quote:

---

Scans the network, looking for systems infected with Mydoom. This worm attempts to connect to sequential IP addresses on ports 3127, 3128, and 1080, starting with a random IP address. When a connection is established, W32.HLLW.Deadhat sends a copy of itself to the Mydoom server, in effect replacing Mydoom on the remote machine.

---

More info on W32.HLLW.Deadhat

Cheers:

From the Trojan Horse mailing list...

Confused about the name of this one... so is everyone it appears...


* TrendMicro is calling this one DeadHat.A and DoomJuice
* McAfee has created a separate DoomJuice and DeadHat listing
* Symantec also now has a separate DoomJuice and DeadHat listing
* Computer Associates also has a DoomJuice and a DeadHat listing

They (the media) now think MyDoom.C/DoomJuice and Vesser/DeadHat are the same thing but they are totally different worms that use MyDoom.A/B to spread. Vesser is NOT in the wild.

http://www.securitynewsportal.com/index.shtml