Doomjuice "plants evidence" on innocent computers. Is MyDoom author trying to hide in the crowd? asks Sophos

February 10, 2004 Sophos Press Release

The Doomjuice worm drops MyDoom's source code on the user's hard drive
The Doomjuice worm drops MyDoom's source code on the user's hard drive

Sophos virus experts have an interesting theory on a peculiar payload of the W32/Doomjuice-A worm. The Doomjuice worm drops a copy of the prevalent W32/MyDoom-A's source code onto infected computers, possibly in an attempt to make it more difficult to convict the true author.

The Doomjuice worm drops a compressed copy of MyDoom's C source code into a number of directories on the infected user's PC. Detectives investigating the authorship of the MyDoom worm would normally treat discovery of the source code on a computer as a significant clue.

"There is already a $500,000 reward for information leading to the conviction of MyDoom's author," said Graham Cluley, senior technology consultant for Sophos. "If he has spread his code around the net onto innocent computers in an attempt to hide in the crowd, then he's more sneaky than the average virus writer."

"The other possibility is that MyDoom's author is spreading the code to encourage others to write copy-cat viruses which try and mimic MyDoom's global spread. The need for sensible security policies and multi-tier virus protection has never been greater," continued Cluley.

The Doomjuice worm attempts to launch a distributed denial of service attack against Microsoft's website: www.microsoft.com