MyDoom Author Gets Tricky With DoomJuice

Security firm Sohpos says that the MyDoom author may be trying to "hide in the crowd" by planting evidence on infected computers.

Sophos virus experts have an interesting theory on a peculiar payload of the W32/Doomjuice-A worm. The Doomjuice worm drops a copy of the prevalent W32/MyDoom-A’s source code onto infected computers, possibly in an attempt to make it more difficult to convict the true author.

The Doomjuice worm drops a compressed copy of MyDoom’s C source code into a number of directories on the infected user’s PC. Detectives investigating the authorship of the MyDoom worm would normally treat discovery of the source code on a computer as a significant clue.

“There is already a $500,000 reward for information leading to the conviction of MyDoom’s author,” said Graham Cluley, senior technology consultant for Sophos. “If he has spread his code around the net onto innocent computers in an attempt to hide in the crowd, then he’s more sneaky than the average virus writer.”

“The other possibility is that MyDoom’s author is spreading the code to encourage others to write copy-cat viruses which try and mimic MyDoom’s global spread. The need for sensible security policies and multi-tier virus protection has never been greater,” continued Cluley.

The Doomjuice worm attempts to launch a distributed denial of service attack against Microsoft’s website: www.microsoft.com