Most AV firms already posted something on it on their web sites.
This worm is a possible outbreak, how serious is not yet clear. If it becomes a full-scale outbreak, we will post a follow-up.
It is important to note that this may hit beyond the private sector as well, since many organizations allow .ZIP files.
See attached message.
This message is forwarded from the TH-Research mailing list, according to the guidelines specified in the FAQ.
Gadi Ecvron
From: "Ken Dunham" <[EMAIL PROTECTED]> To: TH-Research Subject: [TH-research] Dumaru.J/Y Worm - Possible Outbreak Date: Sat, 24 Jan 2004 05:21:20 -0700
Mail from "Ken Dunham" <[EMAIL PROTECTED]>
It's early on, but this new variant of Dumaru has potential as a ZIP spreading worm that installs a Trojan. Details below acquired from multiple sources:
Dumaru.J, aka Capegold, Worm Spreading in the Wild: Dumaru.J is a new variant of the Dumaru worm that spreads via e-mail and installs a backdoor Trojan horse. At least one vendor has attributed the origin of this new Dumaru worm to Russia. E-mails sent by Dumaru.J have the following characteristics:
From: Elene <[EMAIL PROTECTED]> Subject: Hi Important information for you. Read it immediately ! Message: Hi Here is my photo, that you asked for yesterday Attachment: myphoto.zip (17,613 bytes)
Note that when unzipped, myphoto.zip installs myphoto.jpg56 SPACES.exe (17,370 bytes). The MD5 value for myphoto.zip is 0a62594d6617fffe57aba9ebe5733998 while the MD5 value for the myphoto.jpg56 SPACES.exe file is 7b126cd0910619e998499a077ed8f108.
More than 200 interceptions of the aforementioned e-mail have been discovered at the time of this writing.
If Dumaru.J is executed, it attempts to create a copy of itself in the Windows System directory as both l32x.exe and vxd32v.exe. Dumaru.J attempts to save the file rundllx.sys in the Windows directory. Dumaru.J also attempts to save a copy of itself in the Windows Startup directory as dllxw.exe. Dumaru.J creates the file zip.tmp in the Windows Temp directory as a copy of the worm it e-mails to target addresses. The Windows registry is modified to run the Trojan upon Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run load32=C:\WINDOWS SYSTEM DIRECTORY\l32x.exe
Dumaru.J may also attempt to create the following registry key:
HKLM\Software\SARS
On Microsoft Corp. Windows NT/2000/XP/2003 computers, Dumaru.J attempts to modify the following registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe
The Dumaru.J worm also modifies the file system.ini to run the worm upon Windows startup:
System.ini [boot] Shell=explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe
Win.ini may also be modified by the worm to run itself upon Windows startup:
[windows] run=%WinDir%\rundllx.sys
Dumaru.J attempts to search for e-mail addresses in .abd, .dbx, .htm, .html, .tbb and .wab files. Once installed, Dumaru.J may listen on TCP port 10,000 for commands from a remote attacker. Once connected, an attacker is able to log keystrokes, capture clipboard information, modify local settings, perform file management, install additional malicious code and perform other malicious actions.
Alias: Dumaru.J, Dumaru, W32/Capegold-mm, Capegold, Dumaru.Y, [EMAIL PROTECTED], W32/[EMAIL PROTECTED]
Sources: AVIEN, Jan. 24, 2004 Network Associates Inc./McAfee.com (http://vil.nai.com/vil/content/v_100980.htm), Jan. 24, 2004 Symantec Corp. (http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] l), Jan. 24, 2004 F-Secure Corp. (http://www.f-secure.com/v-descs/dumaru_y.shtml), Jan. 24, 2004 Messagelabs (http://www.messagelabs.com/viruseye/info/default.asp?frompage=threats+list&; fromURL=%2Fviruseye%2Fthreats%2Flist%2Fdefault%2Easp&virusname=W32%2FDumaru% 2EY%2Dmm), Jan. 24, 2004
- TH-Research, the Trojan Horses Research mailing list. List home page: http://ecompute.org/th-list
--
Gadi Evron,
[EMAIL PROTECTED]The Trojan Horses Research mailing list - http://ecompute.org/th-list
My resume (Hebrew) - http://www.math.org.il/resume.rtf
PGP key for [EMAIL PROTECTED] -
http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
Note: this key is used mainly for files and attachments, I sign email messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
