lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 24 Jan 2004 14:50:42 -0800
From: Gadi Evron <ge@...tistical.reprehensible.net>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]


A warning was issued earlier today from James Love regarding this new worm.

Most AV firms already posted something on it on their web sites.

This worm is a possible outbreak, how serious is not yet clear. If it 
becomes a full-scale outbreak, we will post a follow-up.

It is important to note that this may hit beyond the private sector as 
well, since many organizations allow .ZIP files.

See attached message.

This message is forwarded from the TH-Research mailing list, according 
to the guidelines specified in the FAQ.

	Gadi Ecvron

From: "Ken Dunham" <dunhamk@...i.net>
To: TH-Research
Subject: [TH-research] Dumaru.J/Y Worm - Possible Outbreak
Date: Sat, 24 Jan 2004 05:21:20 -0700

Mail from "Ken Dunham" <dunhamk@...i.net>

It's early on, but this new variant of Dumaru has potential as a ZIP
spreading worm that installs a Trojan.  Details below acquired from multiple
sources:

Dumaru.J, aka Capegold, Worm Spreading in the Wild: Dumaru.J is a new
variant of the Dumaru worm that spreads via e-mail and installs a backdoor
Trojan horse. At least one vendor has attributed the origin of this new
Dumaru worm to Russia. E-mails sent by Dumaru.J have the following
characteristics:

From: Elene <FUCKENSUICIDE@...MAIL.COM>
Subject: Hi
Important information for you. Read it immediately !
Message: Hi
Here is my photo, that you asked for yesterday
Attachment: myphoto.zip (17,613 bytes)

Note that when unzipped, myphoto.zip installs myphoto.jpg56 SPACES.exe
(17,370 bytes). The MD5 value for myphoto.zip is
0a62594d6617fffe57aba9ebe5733998 while the MD5 value for the myphoto.jpg56
SPACES.exe file is 7b126cd0910619e998499a077ed8f108.

More than 200 interceptions of the aforementioned e-mail have been
discovered at the time of this writing.

If Dumaru.J is executed, it attempts to create a copy of itself in the
Windows System directory as both l32x.exe and vxd32v.exe. Dumaru.J attempts
to save the file rundllx.sys in the Windows directory. Dumaru.J also
attempts to save a copy of itself in the Windows Startup directory as
dllxw.exe. Dumaru.J creates the file zip.tmp in the Windows Temp directory
as a copy of the worm it e-mails to target addresses. The Windows registry
is modified to run the Trojan upon Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32=C:\WINDOWS SYSTEM DIRECTORY\l32x.exe

Dumaru.J may also attempt to create the following registry key:

HKLM\Software\SARS

On Microsoft Corp. Windows NT/2000/XP/2003 computers, Dumaru.J attempts to
modify the following registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe

The Dumaru.J worm also modifies the file system.ini to run the worm upon
Windows startup:

System.ini
[boot]
Shell=explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe

Win.ini may also be modified by the worm to run itself upon Windows startup:

[windows]
run=%WinDir%\rundllx.sys

Dumaru.J attempts to search for e-mail addresses in .abd, .dbx, .htm, .html,
.tbb and .wab files. Once installed, Dumaru.J may listen on TCP port 10,000
for commands from a remote attacker. Once connected, an attacker is able to
log keystrokes, capture clipboard information, modify local settings,
perform file management, install additional malicious code and perform other
malicious actions.

Alias: Dumaru.J, Dumaru, W32/Capegold-mm, Capegold, Dumaru.Y,
W32.Dumaru.Y@mm, W32/Dumaru.y@MM

Sources:   AVIEN, Jan. 24, 2004
Network Associates Inc./McAfee.com
(http://vil.nai.com/vil/content/v_100980.htm), Jan. 24, 2004
Symantec Corp.
(http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.y@mm.htm
l), Jan. 24, 2004
F-Secure Corp. (http://www.f-secure.com/v-descs/dumaru_y.shtml), Jan. 24,
2004
Messagelabs
(http://www.messagelabs.com/viruseye/info/default.asp?frompage=threats+list&
fromURL=%2Fviruseye%2Fthreats%2Flist%2Fdefault%2Easp&virusname=W32%2FDumaru%
2EY%2Dmm), Jan. 24, 2004


-
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list

-- 
       Gadi Evron,
       ge@...uxbox.org.

The Trojan Horses Research mailing list - http://ecompute.org/th-list

My resume (Hebrew) - http://www.math.org.il/resume.rtf

PGP key for ge@...uxbox.org -
http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
Note: this key is used mainly for files and attachments, I sign email 
messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists