The first DoomJuice (also called MyDoom.C) was found Monday and targeted Microsoft’s web site, which experienced performance problems during that general time frame. The army of “zombie” computers potentially commanded by DoomJuice.B is likely be smaller than the original pool of MyDoom.A-compromised machines that have kept the the SCO website offline since Feb. 1 with a DDoS attack. DoomJuice uses a backdoor left open by MyDoom.A to propagate itself, foregoing efforts to spread through e-mail and peer-to-peer file sharing networks.
Some estimates placed the number of MyDoom.A infections at more than 400,000. Widespread news coverage of MyDoom has likely led to a reduction in that number, as users become educated and secure their computers. But as of yesterday more than 65,000 IP addresses were actively scanning to and from port 3127, the backdoor left open by MyDoom.A., according to data from the SANS Institute’s Internet Storm Center.
Performance data for all the sites involved in the MyDoom/DoomJuice DDoS efforts is located here.