Full Disclosure mailing list archives
[Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]
From: Gadi Evron <ge () egotistical reprehensible net>
Date: Sat, 24 Jan 2004 14:50:42 -0800
A warning was issued earlier today from James Love regarding this new worm. Most AV firms already posted something on it on their web sites.This worm is a possible outbreak, how serious is not yet clear. If it becomes a full-scale outbreak, we will post a follow-up.
It is important to note that this may hit beyond the private sector as well, since many organizations allow .ZIP files.
See attached message.This message is forwarded from the TH-Research mailing list, according to the guidelines specified in the FAQ.
Gadi Ecvron From: "Ken Dunham" <dunhamk () rmci net> To: TH-Research Subject: [TH-research] Dumaru.J/Y Worm - Possible Outbreak Date: Sat, 24 Jan 2004 05:21:20 -0700 Mail from "Ken Dunham" <dunhamk () rmci net> It's early on, but this new variant of Dumaru has potential as a ZIP spreading worm that installs a Trojan. Details below acquired from multiple sources: Dumaru.J, aka Capegold, Worm Spreading in the Wild: Dumaru.J is a new variant of the Dumaru worm that spreads via e-mail and installs a backdoor Trojan horse. At least one vendor has attributed the origin of this new Dumaru worm to Russia. E-mails sent by Dumaru.J have the following characteristics: From: Elene <FUCKENSUICIDE () HOTMAIL COM> Subject: Hi Important information for you. Read it immediately ! Message: Hi Here is my photo, that you asked for yesterday Attachment: myphoto.zip (17,613 bytes) Note that when unzipped, myphoto.zip installs myphoto.jpg56 SPACES.exe (17,370 bytes). The MD5 value for myphoto.zip is 0a62594d6617fffe57aba9ebe5733998 while the MD5 value for the myphoto.jpg56 SPACES.exe file is 7b126cd0910619e998499a077ed8f108. More than 200 interceptions of the aforementioned e-mail have been discovered at the time of this writing. If Dumaru.J is executed, it attempts to create a copy of itself in the Windows System directory as both l32x.exe and vxd32v.exe. Dumaru.J attempts to save the file rundllx.sys in the Windows directory. Dumaru.J also attempts to save a copy of itself in the Windows Startup directory as dllxw.exe. Dumaru.J creates the file zip.tmp in the Windows Temp directory as a copy of the worm it e-mails to target addresses. The Windows registry is modified to run the Trojan upon Windows startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run load32=C:\WINDOWS SYSTEM DIRECTORY\l32x.exe Dumaru.J may also attempt to create the following registry key: HKLM\Software\SARS On Microsoft Corp. Windows NT/2000/XP/2003 computers, Dumaru.J attempts to modify the following registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe The Dumaru.J worm also modifies the file system.ini to run the worm upon Windows startup: System.ini [boot] Shell=explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe Win.ini may also be modified by the worm to run itself upon Windows startup: [windows] run=%WinDir%\rundllx.sys Dumaru.J attempts to search for e-mail addresses in .abd, .dbx, .htm, .html, .tbb and .wab files. Once installed, Dumaru.J may listen on TCP port 10,000 for commands from a remote attacker. Once connected, an attacker is able to log keystrokes, capture clipboard information, modify local settings, perform file management, install additional malicious code and perform other malicious actions. Alias: Dumaru.J, Dumaru, W32/Capegold-mm, Capegold, Dumaru.Y, W32.Dumaru.Y@mm, W32/Dumaru.y@MM Sources: AVIEN, Jan. 24, 2004 Network Associates Inc./McAfee.com (http://vil.nai.com/vil/content/v_100980.htm), Jan. 24, 2004 Symantec Corp. (http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.y () mm htm l), Jan. 24, 2004 F-Secure Corp. (http://www.f-secure.com/v-descs/dumaru_y.shtml), Jan. 24, 2004 Messagelabs (http://www.messagelabs.com/viruseye/info/default.asp?frompage=threats+list& fromURL=%2Fviruseye%2Fthreats%2Flist%2Fdefault%2Easp&virusname=W32%2FDumaru% 2EY%2Dmm), Jan. 24, 2004 - TH-Research, the Trojan Horses Research mailing list. List home page: http://ecompute.org/th-list -- Gadi Evron, ge () linuxbox org. The Trojan Horses Research mailing list - http://ecompute.org/th-list My resume (Hebrew) - http://www.math.org.il/resume.rtf PGP key for ge () linuxbox org - http://vapid.reprehensible.net/~ge/Gadi_Evron.ascNote: this key is used mainly for files and attachments, I sign email messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak] Gadi Evron (Jan 24)