Doomjuice "plants evidence" on innocent computers. Is MyDoom author trying to hide in the crowd? asks Sophos

Sophos Press Release
The Doomjuice worm drops MyDoom's source code on the user's hard drive
The Doomjuice worm drops MyDoom's source code on the user's hard drive

Sophos virus experts have an interesting theory on a peculiar payload of the W32/Doomjuice-A worm. The Doomjuice worm drops a copy of the prevalent W32/MyDoom-A's source code onto infected computers, possibly in an attempt to make it more difficult to convict the true author.

The Doomjuice worm drops a compressed copy of MyDoom's C source code into a number of directories on the infected user's PC. Detectives investigating the authorship of the MyDoom worm would normally treat discovery of the source code on a computer as a significant clue.

"There is already a $500,000 reward for information leading to the conviction of MyDoom's author," said Graham Cluley, senior technology consultant for Sophos. "If he has spread his code around the net onto innocent computers in an attempt to hide in the crowd, then he's more sneaky than the average virus writer."

"The other possibility is that MyDoom's author is spreading the code to encourage others to write copy-cat viruses which try and mimic MyDoom's global spread. The need for sensible security policies and multi-tier virus protection has never been greater," continued Cluley.

The Doomjuice worm attempts to launch a distributed denial of service attack against Microsoft's website: www.microsoft.com

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.