| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F4DF203.3050903@aor-consult.de> From: oliver.ritter at aor-consult.de (Oliver Ritter) Subject: Backdoor, Virus, Dialer? More information. Hi all Kaspersky also recognized the binary as I.-Worm.Dumaru.a Michael Renzmann wrote: > Hi all. > > Valdis.Kletnieks@...edu wrote: > >>> Recently I received some mails in english language. The writer (who >>> pretends being security@...rosoft.com, but the header says "Sender: >>> admin@...a.gov.ru") generously sends a patch along with his mail >>> which should be applied in order to fix a security bug... ha ha. >> >> Most likely a known virus, W32/Dumaru-A. If what you have there >> *doesnt* >> match that one, give us another buzz.... > > > As Vladis pointed out, the mail seems to be result of a > W32/Dumaru@...variant. Another fd-reader pointed to W32/Dumaru.B@mm as > well. > > Symantec currently lists two variants of W32/Dumaru: > > 1. W32/Dumaru@mm, having an attachment with 9216 bytes > 2. W32/Dumaru.b@mm, having an attachment with 34304 bytes > > However, the mails I received (at least five of them) have an > attachment with 9276 byte. Either Symantec has a typo at their site, > or this could be a new variant. > > As there were many people asking me to send them the binary, I decided > to put the file and a copy of the mail on my webserver. To be found at > http://www.otaku42.de/download/dumaru/index.html > > Bye, Mike > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists