[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4012F6C2.8030200@egotistical.reprehensible.net>
From: ge at egotistical.reprehensible.net (Gadi Evron)
Subject: [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]
A warning was issued earlier today from James Love regarding this new worm.
Most AV firms already posted something on it on their web sites.
This worm is a possible outbreak, how serious is not yet clear. If it
becomes a full-scale outbreak, we will post a follow-up.
It is important to note that this may hit beyond the private sector as
well, since many organizations allow .ZIP files.
See attached message.
This message is forwarded from the TH-Research mailing list, according
to the guidelines specified in the FAQ.
Gadi Ecvron
From: "Ken Dunham" <dunhamk@...i.net>
To: TH-Research
Subject: [TH-research] Dumaru.J/Y Worm - Possible Outbreak
Date: Sat, 24 Jan 2004 05:21:20 -0700
Mail from "Ken Dunham" <dunhamk@...i.net>
It's early on, but this new variant of Dumaru has potential as a ZIP
spreading worm that installs a Trojan. Details below acquired from multiple
sources:
Dumaru.J, aka Capegold, Worm Spreading in the Wild: Dumaru.J is a new
variant of the Dumaru worm that spreads via e-mail and installs a backdoor
Trojan horse. At least one vendor has attributed the origin of this new
Dumaru worm to Russia. E-mails sent by Dumaru.J have the following
characteristics:
From: Elene <FUCKENSUICIDE@...MAIL.COM>
Subject: Hi
Important information for you. Read it immediately !
Message: Hi
Here is my photo, that you asked for yesterday
Attachment: myphoto.zip (17,613 bytes)
Note that when unzipped, myphoto.zip installs myphoto.jpg56 SPACES.exe
(17,370 bytes). The MD5 value for myphoto.zip is
0a62594d6617fffe57aba9ebe5733998 while the MD5 value for the myphoto.jpg56
SPACES.exe file is 7b126cd0910619e998499a077ed8f108.
More than 200 interceptions of the aforementioned e-mail have been
discovered at the time of this writing.
If Dumaru.J is executed, it attempts to create a copy of itself in the
Windows System directory as both l32x.exe and vxd32v.exe. Dumaru.J attempts
to save the file rundllx.sys in the Windows directory. Dumaru.J also
attempts to save a copy of itself in the Windows Startup directory as
dllxw.exe. Dumaru.J creates the file zip.tmp in the Windows Temp directory
as a copy of the worm it e-mails to target addresses. The Windows registry
is modified to run the Trojan upon Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32=C:\WINDOWS SYSTEM DIRECTORY\l32x.exe
Dumaru.J may also attempt to create the following registry key:
HKLM\Software\SARS
On Microsoft Corp. Windows NT/2000/XP/2003 computers, Dumaru.J attempts to
modify the following registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe
The Dumaru.J worm also modifies the file system.ini to run the worm upon
Windows startup:
System.ini
[boot]
Shell=explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe
Win.ini may also be modified by the worm to run itself upon Windows startup:
[windows]
run=%WinDir%\rundllx.sys
Dumaru.J attempts to search for e-mail addresses in .abd, .dbx, .htm, .html,
.tbb and .wab files. Once installed, Dumaru.J may listen on TCP port 10,000
for commands from a remote attacker. Once connected, an attacker is able to
log keystrokes, capture clipboard information, modify local settings,
perform file management, install additional malicious code and perform other
malicious actions.
Alias: Dumaru.J, Dumaru, W32/Capegold-mm, Capegold, Dumaru.Y,
W32.Dumaru.Y@mm, W32/Dumaru.y@MM
Sources: AVIEN, Jan. 24, 2004
Network Associates Inc./McAfee.com
(http://vil.nai.com/vil/content/v_100980.htm), Jan. 24, 2004
Symantec Corp.
(http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.y@mm.htm
l), Jan. 24, 2004
F-Secure Corp. (http://www.f-secure.com/v-descs/dumaru_y.shtml), Jan. 24,
2004
Messagelabs
(http://www.messagelabs.com/viruseye/info/default.asp?frompage=threats+list&
fromURL=%2Fviruseye%2Fthreats%2Flist%2Fdefault%2Easp&virusname=W32%2FDumaru%
2EY%2Dmm), Jan. 24, 2004
-
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list
--
Gadi Evron,
ge@...uxbox.org.
The Trojan Horses Research mailing list - http://ecompute.org/th-list
My resume (Hebrew) - http://www.math.org.il/resume.rtf
PGP key for ge@...uxbox.org -
http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
Note: this key is used mainly for files and attachments, I sign email
messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc
Powered by blists - more mailing lists