NEWS FROM THE LAB - Thursday, February 12, 2004

It's now the 12th of February Posted by Mikko @ 04:38 GMT

Three things related to Mydoom and Doomjuice happen today:

 1) Mydoom.A expires

When an infected machine is rebooted and the date based on the local clock of the PC is 12th of February or later, the worm will stop spreading and attacking WWW.SCO.COM.

The backdoor of the worm WON'T stop - it will keep running forever.

This also means that we will most likely see an attempt by SCO during the next 24 hours to bring back the domain WWW.SCO.COM. Currently it's still not listed in DNS:

 [c:\]host www.sco.com
 Host www.sco.com not found: 3(NXDOMAIN)

 [c:\]host sco.com
 sco.com has address

 2) The attack strategy of Doomjuice.A changes

The Doomjuice.A attack against WWW.MICROSOFT.COM was programmed so that it first sleeps for a random interval before launching the threads to do the attack.

If the worm is executed or an infected machine is rebooted on February 12th or later, the threads are created immediately, without waiting.

This change is not likely to be too visible.

 3) Doomjuice.B attack starts

Doomjuice.B, which uses random HTTP headers in its attack, will launch the attack from today.

The WWW.MICROSOFT.COM website seems to be up and running, although there has been some slight delays on the performance lately:

We'll keep monitoring the situation.