|
Doomjuice worm uses computers infected by Mydoom
or Mydoom.B
to spread. It is also set to launch a DoS attack
on the Microsoft site. The existence of the file
intrenat.exe is an indication of a possible
infection.
This threat is packed by UPX. The size of the
decompressed file is approximately 43 KB.
Also known as: W32.HLLW.Doomjuice, W32/Doomjuice.worm.a,
WORM_DOOMJUICE.A, Win32.Doomjuice.A,
Worm.Win32.Doomjuice, W32/Doomjuice-A
How
Does Doomjuice Worm Infect My System?
When Doomjuice is executed, it performs
the following actions:
- Creates a mutex "sync-Z-mtx_133".
This mutex allows only one instance of the
worm to execute in memory.
- Copies itself as %System%intrenat.exe.
- Adds the value:
"Gremlin" = "%System%\intrenat.exe"
to one of the following the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start
Windows.
- Creates a file sync-src-1.00.tbz (28,569
bytes) and copies this file to %Windir%,
%System%, %Temp%,%UserProfile% folders, and
the root folder of all fixed and remote
drives. This file is a tar archive that
contains the source code of Mydoom.
- Connects to TCP port 3127, which is opened
by the backdoor component of Mydoom,
to receive commands. If the worm gets the
command, it sends a copy of itself to the
remote machine. The backdoor component of Mydoom
will accept the file and executes it.
- Launches a DoS attack against
www.microsoft.com by sending HTTP Get
requests.
How
Can I Remove the Doomjuice virus?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Doomjuice during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Doomjuice worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Restarting the computer in Safe mode or VGA
mode
Shut down the computer and turn off the power.
Wait for at least 30 seconds, and then restart
the computer in Safe mode or VGA mode.
- For Windows 95, 98, Me, 2000, or XP users,
restart the computer in Safe mode.
- For Windows NT 4 users, restart the computer
in VGA mode.
4. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
Doomjuice, click Delete.
5. Reversing the changes made to the registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the value:
"Gremlin" = "%System%\intrenat.exe"
- Exit the Registry Editor.
- Restart the computer back into Normal
mode.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Worms - 'D':
| 
