Aliases
W32/Doomjuice.worm.a, W32.HLLW.Doomjuice, WORM_DOOMJUICE.A, Win32.Doomjuice.A, Worm.Win32.Doomjuice

Type
Win32 worm
Description
W32/Doomjuice-A is a worm which spreads by exploiting a backdoor installed by W32/MyDoom-A.
The worm creates a copy of itself named intrenat.exe in the Windows system folder and creates the following registry entry to ensure that the copy is run when Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
= <Windows system folder>\intrenat.exe

The worm also creates a file named sync-src-1.00.tbz in the root, Windows, Windows system and user profile folders. Sync-src-1.00.tbz is a compressed archive containing source code of W32/MyDoom-A.

W32/Doomjuice-A will contact computers infected with W32/MyDoom-A by attempting to connect to port 3127 of randomly chosen IP addresses. If the worm contacts a computer infected with W32/MyDoom-A a copy of W32/Doomjuice-A will be transfered to the computer and executed.

On 9th February and any date thereafter the worm will wait for between 2 and 6 minutes and then attempt a distributed denial of service (DDoS) attack against www.microsoft.com.


http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html