[OT] WARNING: Dumaru.J virus

[Steven Burn]

The voodoo that Dumaru doesn't do too well.
By Mike Kemp
Posted: 26/01/2004 at 11:55 GMT

This weekend saw another iteration of email worm Dumaru. Unlike other email
worm variants, Dumaru.J spreads itself by way of a zip attachment (rather
than the typical executable). Of course, should users open the zipped file,
and click the file 'myphoto.jpg.56 (spaces). exe' Dumaru does its typically
annoying thing.

Dumaru is sent as an attached zip in an email with the subject line of
'Important information for you. Read it immediately!'. I f Dumaru.J is
executed, it attempts to create a copy of itself in the Windows System
directory as both l32x.exe and vxd32v.exe. Dumaru then attempts to save the
file rundllx.sys in the Windows directory. Dumaru.J also attempts to save a
copy of itself in the Windows Startup directory as dllxw.exe. Dumaru.J
creates the file zip.tmp in the Windows Temp directory as a copy of the worm
it e-mails to target addresses. The Windows registry
is modified to run the Trojan upon Windows start up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32=C:\WINDOWS SYSTEM DIRECTORY\l32x.exe

Dumaru.J may also attempt to create the following registry key:

HKLM\Software\SARS

Once installed on an infected machine, Dumaru scans the hard drive for email
addresses to which it sends itself via its own SMTP engine on port 25.

Perhaps the most worrying feature of the worm though, is that it opens and
listens on TCP port 10,000 for remote commands, allowing unfettered system
access.

Although AV vendors rate Dumaru as a low to mid priority threat the fact
that it is transmitted as a zip file which many corporates allow, and when
installed the worm can be used for remote access are causes for conceqrn.

As always, the advice is to update AV signatures. The initial infecting
account appears to be the charmingly-titled '(e-mail address removed)', so
it's probably worth blocking that too.®

Copyright ©2004 The Register

Screenshots available at: http://www.theregister.co.uk/content/56/35105.html

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)

 

[Steven Burn]

As an addition, just received the following from Spyware Info

SWI Readers,

There is a widespread outbreak of the WORM_MIMAIL.R email worm.

This worm is spoofing the sender's email address. If you receive one of
these emails, the person in the FROM: address is NOT the person who sent it
to you.

If you are running an email server with antivirus software that bounces
virus infected emails, FOR GOD'S SAKE STOP BOUNCING THEM! You are
participating in a denial of service attack by bouncing viruses at people
who are not infected. You could even infect them yourself! STOP BOUNCING
THEM!

If you receive an email like the one described below, DON'T OPEN IT! Delete
it immediately, update your antivirus program and scan. If you don't have an
antivirus, get one.
http://www.nod32.com/ Nod32 $39.00 (The best AV available)
http://www.grisoft.com/ AVG Free (Good enough for the price)

Description From Trendmicro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.
R

A new variant of the MIMAIL worm has been found in the wild. As of January
26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a yellow alert to
control the spread of WORM_MIMAIL.R.

Also known as W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm

This mass-mailing worm selects from a list of email subjects, message
bodies, and attachment file names. It can also propagate using the Kazaa
peer-to-peer file sharing network.

It performs a denial of service (DoS) attack against the software business
site www.sco.com. It attacks the site if the system date is February 1, 2004
or later. It ceases attacking the site and running most of its routines on
February 12, 2004.

It runs on Windows 98, ME, NT, 2000 and XP.

It sends email with the following details:

Subject: (any of the following)
.. Error
.. Status
.. Server Report
.. Mail Transaction Failed
.. Mail Delivery System
.. hello
.. hi

Message Body: (any of the following)
.. The message contains Unicode characters and has been sent as a binary
attachment.
.. The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
.. Mail transaction failed. Partial message is available.
.. test

Attachment: &ltRandom name>.zip

Post this on every message board you can find. Get the word out. If you have
a friend or family member who does not understand how to operate an
antivirus, please check that they are updated and protected. If you know
someone running antivirus on an email server, please tell them to turn off
the bounce feature.

The normal SWI newsletter is going to be a day or two late. I am having bad
weather here and it's interrupting my internet connection.


Regards,

Mike Healan
Editor
www.spywareinfo.com

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)

 

[peter online]

AVG and Grisoft AntiVir never worked for me like the free online scan by
pandasoftware.com and 'Stinger'.

On Monday morning alone 21 virusses were detected, ALL in my Mozilla Inbox:
W32/Gibe.C.worm in [Installation1.exe], [UPGRADE.exe], [Pack5288.exe],
[upgrade749.exe],[Upgrade54.exe], [yourregistration.pif]
W32/Sober.C.worm in [yourregistration.pif], [~000392.@x@][letters.exe],
[qqhqk.exe], [~000717.@x@] etc. More than 80 since Monday morning.

I let the free service desinfect my whole PC - works only with Internet Explorer
(I use MyIE of course):
<http://www.pandasoftware.com/activescan/com/activescan_principal.htm>
They download a small program to your pc and scan what you chose, one or more
HDDs - offline if you want. -

Similar and effective is this small freeware to download here:
http://vil.nai.com/vil/stinger/ - McAfee AVERT Stinger - a 'must' these days!

"Stinger is a stand-alone utility used to detect and remove specific viruses. It
is not a substitute for full anti-virus protection, but rather a tool to assist
administrators and users when dealing with an infected system. Stinger utilizes
next generation scan engine technology, including process scanning, digitally
signed DAT files, and scan performance optimizations." - 720 KB download - A new
version nearly every day - depending on virus alerts!
"Scans for 37 viruses, trojans and variants." (one was built Jan 26, 27 and 28
04) I can only recommend both services!