PSS Security Response Team Alert - New Worm: W32/Mydoom.C
SEVERITY: MODERATE
DATE: February 9, 2004
PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail
**********************************************************************
WHAT IS IT?
Mydoom.C (also referred to as DoomJuice) is a variant of the Mydoom worm that attacks and infects only those systems which are currently infected with Mydoom.A. Customers who are not infected by Mdoom.A are not at risk from Mydoom.C. Customers who are currently infected with Mydoom.B are not at risk from Mydoom.C.
Mydoom.C also attempts to levy a denial of service attack against Microsoft properties. All Microsoft proprerties are available and stable. There is more information available at:
http://www.microsoft.com/security/antivirus/mydoom.asp
The Microsoft Product Support Services Security Team is issuing this alert to advise customers to be on the alert for this virus as it spreads in the wild. Customers are advised to review the information and take the appropriate action for their environments.
IMPACT OF ATTACK: Denial of Service
TECHNICAL DETAILS:
For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:
Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=38238
Network Associates:
http://vil.nai.com/vil/content/v_101002.htm
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A
For more information on Microsoft?s Virus Information Alliance please visit this link: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/via.asp Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
Mydoom.C propagates only to system that are currently infected by Mydoom.A by connecting on TCP port 3127. You can prevent infection by Mydoom.C by blocking access to TCP port 3127 (Note: The Internet Connection Firewall (ICF) in Windows XP blocks access to TCP port 3127 by default. In addition, you can prevent against infection by Mydoom.C by ensuring that you are not infected with Mydoom.A, either by preventing infection from Mydoom.A or by cleaning a system that has been infected by Mydoom.A as quickly as possible.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/alerts/mydoomc.asp
Latest worm not expected to do much damage.
Paul Roberts, IDG News Service
Monday, February 09, 2004
Internet security companies have discovered a new version of the MyDoom e-mail worm circulating on the Internet.
The new version, Mydoom.C, is a modified copy of the virus that ravaged the Internet in January. Unlike its predecessor, however, the new variant does not use e-mail or the Kazaa peer-to-peer network to spread and is not expected to make much of an impact on the Internet, says managed security services provider LURHQ.
Mydoom.C both refines and tames the earlier version of the virus, known as Mydoom.A. Among other changes, the new virus fixes problems with the original Mydoom e-mail worm, including errors in the worm's code that made it impossible for many Mydoom-infected machines to launch a programmed denial of service (DoS) attack against The SCO Group's Web site. Gone also is the expiration date that told machines infected with the original Mydoom virus to stop their DoS attack on February 12, 2004, LURHQ says.
More: http://www.pcworld.com/news/article/0,aid,114657,tk,dn020904X,00.asp

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic