lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F4DD9F2.6060400@dylanic.de>
From: security at dylanic.de (Michael Renzmann)
Subject: Backdoor, Virus, Dialer? More information.

Hi all.

Valdis.Kletnieks@...edu wrote:
>>Recently I received some mails in english language. The writer (who 
>>pretends being security@...rosoft.com, but the header says "Sender: 
>>admin@...a.gov.ru") generously sends a patch along with his mail which 
>>should be applied in order to fix a security bug... ha ha.
> Most likely a known virus, W32/Dumaru-A.   If what you have there *doesnt*
> match that one, give us another buzz....

As Vladis pointed out, the mail seems to be result of a 
W32/Dumaru@...variant. Another fd-reader pointed to W32/Dumaru.B@mm as well.

Symantec currently lists two variants of W32/Dumaru:

1. W32/Dumaru@mm, having an attachment with 9216 bytes
2. W32/Dumaru.b@mm, having an attachment with 34304 bytes

However, the mails I received (at least five of them) have an attachment 
with 9276 byte. Either Symantec has a typo at their site, or this could 
be a new variant.

As there were many people asking me to send them the binary, I decided 
to put the file and a copy of the mail on my webserver. To be found at 
http://www.otaku42.de/download/dumaru/index.html

Bye, Mike


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ