10 Feb 2004
Doomjuice "plants evidence" on innocent computers. Is MyDoom author trying to hide in the crowd? asks Sophos
|The Doomjuice worm drops MyDoom's source code on
the user's hard drive
Sophos virus experts have an interesting theory on a peculiar
payload of the W32/Doomjuice-A worm.
The Doomjuice worm drops a copy of the prevalent W32/MyDoom-A's source
code onto infected computers, possibly in an attempt to make it
more difficult to convict the true author.
The Doomjuice worm drops a compressed copy of MyDoom's C source
code into a number of directories on the infected user's PC.
Detectives investigating the authorship of the MyDoom worm would
normally treat discovery of the source code on a computer as a
"There is already a $500,000 reward for information leading to
the conviction of MyDoom's author," said Graham Cluley, senior
technology consultant for Sophos. "If he has spread his code around
the net onto innocent computers in an attempt to hide in the crowd,
then he's more sneaky than the average virus writer."
"The other possibility is that MyDoom's author is spreading the
code to encourage others to write copy-cat viruses which try and
mimic MyDoom's global spread. The need for sensible security
policies and multi-tier virus protection has never been greater,"
The Doomjuice worm attempts to launch a distributed denial of
service attack against Microsoft's website: www.microsoft.com
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.