Several security vendors have issued alerts for another variant of the Dumaru email worm--W32/Dumaru.Y--although some recognize it as Dumaru.Z. The initial copy of this new variant originated from the USA, according to MessageLabs. To date, the majority of infected emails that MessageLabs has intercepted were sent from the UK: 42% of the total number of emails seen.
The worm arrives as an attachment to an email called myphoto.zip (17Kb). The senders email address may be forged, and therefore does not indicate the true identity of the sender.
The worm spreads by emailing copies of itself to email addresses harvested from the infected computer, using its own email engine. The worm appears to contain a password-stealing or key-logging Trojan component that may also leave a backdoor open on any infected computer connected to the Internet, allowing remote access to the recipients PC.
Note that many companies employing content filtering systems on their Internet email gateway may not prevent executable attachments contained inside a ZIP file.
For further information, visit the MessageLabs web site here.
According to McAfee, W32/Dumaru.z@MM is very similar to the y variant, the major differences being:
Filesize: approx 14,550 bytes
File download: this variant is intended to download a remote file (URL hard-coded in body). This remote file may change, but at the time of writing it was a variant of W32/Spybot.worm. This is written to disk as %SysDir%NVIDIA32.EXE. This is detected as W32/Spybot.worm.gen with the 4288 DATs or greater.
The email message constructed is identical to that for the y variant. This worm bears the following characteristics:
contains its own SMTP engine to construct messages
harvests target email addresses from the local machine
Additionally, the worm is also intended to steal data from the victim machine (eg. certain application passwords, keylogger data). This may be triggered via remote commands from the hacker.
The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine--files matching the following extensions are searched:
.HTM
.WAB
.HTML
.DBX
.TBB
.ABD
The worm mails itself in a ZIP file. The ZIP contains the worm with the following filename:
MYPHOTO.JPG. (many spaces) .EXE
Messages are constructed with the following characteristics:
From: Elene (F (removed) ENSUICIDE@HOTMAIL.COM)
Subject: Important information for you. Read it immediately!
Attachment: MYPHOTO.ZIP
Body:
Hi!
Here is my photo, that you asked for yesterday.
View the sample email and other information at this McAfee page.
According to Sophos, W32/Dumaru-Y is an email worm with backdoor functions. The worm arrives in a message with the following characteristics:
From: Elene
Subject line: Important information for you. Read it immediately!
Message text: Hi!
Here is my photo, that you asked for yesterday
Attached file: myphoto.zip
The email also contains myphoto.jpg<56 SPACES> Chronology of a Virus::
A new email-aware worm arrives in the form of a coconut shy game. A new variant of the infamous Code Red worm is unlikely to cause much havoc, say
http://www.thocp.net/reference/virus/chronology_virus.htmHOME |
Help With Virus Worms - PTCI::
This photograph is a hoax. Alerts - Swen And Dumaru Spread Across The Web! Also known as the W32/Sober.o@MM worm, this new variant of the Sober worm was
http://www.ptci.net/helpwithvirusworms.phpHOME |
.exe file.
When executed the worm copies itself to the Windows system folder as l32x.exe and vxd32v.exe and the startup folder as dllxw.exe.
W32/Dumaru-Y sets the entry in the registry in order to ensure that the worm is run each time Windows is started:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunload32 = l32x.exe
When executed under Windows NT W32/Dumaru-Y sets the entry in the registry:
HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=
explorer.exe C:\WindowsSystem32\vxd32.exe
The worm also changes the system.ini file by adding the C:WINDOWSSYSTEMVXD32V.EXE to the shell= line.
W32/Dumaru-Y monitors running programs and keypresses and logs the information in the file vxdload.log in the Windows folder.
The worm also logs information in the file winload.log in the Windows folder. The logs of system activity may be uploaded to a remote FTP server.
W32/Dumaru-Y has its own SMTP engine and attempts to collect email addresses by searching the content of files with the extensions WAB, HTM, HTML, DBX, ABD and TBB.
W32/Dumaru-Y includes a backdoor component which uses port 2283 and an FTP server which uses port 10000.
Once installed W32/Dumaru-Y sends a notification email to the owner.
Instructions for removing worms are at this Sophos page.
According to Symantec, W32.Dumaru.Z@mm is a multi-threaded, mass-mailing worm that downloads and runs a file, runs a keylogger, and attempts to steal personal information. It is very similar to W32.Dumaru.Y@mm.
Technical details are at this Symantec page.
According to Trend Micro, This mass-mailing worm propagates by sending copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine.
It logs keystrokes and gathers information from the infected machine, which it saves and sends out to a malicious user through email. It also steals clipboard and protected storage data, as well as user information related to E-gold bank accounts.
It runs on Windows 95, 98, ME, NT, 2000 and XP.
Technical details are at this Trend Micro page.
Worm Spreads Via Email With Attachment
Sysout.A is a worm that spreads via e-mail in a message with variable characteristics, but which always has an attached file with a double extension.
Sysout.A searches for e-mail addresses in all the files of the computer, and then sends itself out to all the addresses it has gathered, using its own mail engine.
Find out more at this Panda Software page.
--Compiled by Esther Shein
Pre-Article:Learning About Search Engines From Google Engineers
Next-Article:01/26/04 | 
New Dumaru Variant Arrives as Photograph