Kaspersky also recognized the binary as I.-Worm.Dumaru.a
Michael Renzmann wrote:
Hi all.
[EMAIL PROTECTED] wrote:
Recently I received some mails in english language. The writer (who pretends being [EMAIL PROTECTED], but the header says "Sender: [EMAIL PROTECTED]") generously sends a patch along with his mail which should be applied in order to fix a security bug... ha ha.
Most likely a known virus, W32/Dumaru-A. If what you have there *doesnt*
match that one, give us another buzz....
As Vladis pointed out, the mail seems to be result of a W32/[EMAIL PROTECTED] Another fd-reader pointed to W32/[EMAIL PROTECTED] as well.
Symantec currently lists two variants of W32/Dumaru:
1. W32/[EMAIL PROTECTED], having an attachment with 9216 bytes 2. W32/[EMAIL PROTECTED], having an attachment with 34304 bytes
However, the mails I received (at least five of them) have an attachment with 9276 byte. Either Symantec has a typo at their site, or this could be a new variant.
As there were many people asking me to send them the binary, I decided to put the file and a copy of the mail on my webserver. To be found at http://www.otaku42.de/download/dumaru/index.html
Bye, Mike
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
