Full Disclosure mailing list archives
Re: Backdoor, Virus, Dialer? More information.
From: Michael Renzmann <security () dylanic de>
Date: Thu, 28 Aug 2003 12:31:14 +0200
Hi all. Valdis.Kletnieks () vt edu wrote:
Recently I received some mails in english language. The writer (who pretends being security () microsoft com, but the header says "Sender: admin () duma gov ru") generously sends a patch along with his mail which should be applied in order to fix a security bug... ha ha.Most likely a known virus, W32/Dumaru-A. If what you have there *doesnt* match that one, give us another buzz....
As Vladis pointed out, the mail seems to be result of a W32/Dumaru@mm-variant. Another fd-reader pointed to W32/Dumaru.B@mm as well.
Symantec currently lists two variants of W32/Dumaru: 1. W32/Dumaru@mm, having an attachment with 9216 bytes 2. W32/Dumaru.b@mm, having an attachment with 34304 bytesHowever, the mails I received (at least five of them) have an attachment with 9276 byte. Either Symantec has a typo at their site, or this could be a new variant.
As there were many people asking me to send them the binary, I decided to put the file and a copy of the mail on my webserver. To be found at http://www.otaku42.de/download/dumaru/index.html
Bye, Mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Backdoor, Virus, Dialer? Michael Renzmann (Aug 27)
- Re: Backdoor, Virus, Dialer? Valdis . Kletnieks (Aug 27)
- Re: Backdoor, Virus, Dialer? More information. Michael Renzmann (Aug 28)
- Re: Backdoor, Virus, Dialer? More information. Oliver Ritter (Aug 28)
- Re: Backdoor, Virus, Dialer? More information. Michael Renzmann (Aug 28)
- Re: Backdoor, Virus, Dialer? More information. Michael Renzmann (Aug 28)
- Re: Backdoor, Virus, Dialer? Valdis . Kletnieks (Aug 27)