Urgent Virus Alert: Dumaru.Y and .Z


Dumaru.Y and .Z


Zipped Picture Hides
a Malicious Surprise

26 January 2004

About the Virus

Two similar new variants of the Dumaru virus appeared on the Internet this weekend. The first Dumaru virus popped up last August, but did not spread enough to pose a serious threat. However, Dumaru.Y and .Z seem to have taken hold, probably because the virus payload travels as a compressed e-mail attachment. Such an approach may sneak past perimeter filtering, since most adminstrators allow .zip files to enter. If one of your users opens and runs Dumaru's zipped executable, the virus steals the victim's personal information and installs a back door that could allow the virus author full control of your user's computer.

Distinguishing Characteristics

Dumaru Y an Z always look the same. You'll recognize them easily:

From: "Elene" FUCKENSUICIDE@HOTMAIL.COM

Subject: Important information for you. Read it immediately !

Body:

Hi! (In a large, red font)

Here is my photo, that you asked for yesterday.

Attachment: Myphoto.zip <-- (This zip file contains another file called, "Myphoto.jpg [lots of spaces] .exe"

In order to execute the virus, one of your users must first open Dumaru's zipped attachment, then run the executable within. If the user runs the executable, Dumaru installs itself in various locations on the user's machine and creates registry entries so that it can restart upon reboot. It also finds e-mail addresses on your user's computer and sends itself to them, using its own SMTP engine.

Next, Dumaru Y and Z contain malicious payloads. Both viruses log your user's keystrokes and monitor the clipboard. This allows the virus to gather sensitive data which might include passwords, credit card info, or proprietary information about your organization. The virus also monitors connections to egold.com in hopes of capturing user login information for that site. Dumaru e-mails all the data it gathers to the virus author's address, hardcoded within the virus.

Finally, Dumaru installs a back door on your user's computer that listens on TCP ports 2283 and 10000. This allows the virus author to issue instructions to your user's computer, essentially giving the attacker full control of the machine.

According to McAfee, Dumaru.Z differs from Dumaru.Y only in the size of its malicious payload and in that it downloads a spybot from a URL hard-coded within the virus.

What you can do

  • As always, remind your users never to open unexpected attachments from any source.

  • Most major anti-virus vendors already have signatures that detect both Dumaru Y and Z. Check with your vendor for the latest update, and make sure you've installed it.

PDF Form Filling Blog · New WebMail · Racine-Web.com Site Map · Content Management · Sites Design and Hosted by Racine Web Design · Network Operations Center · Anti-Spam with SpamBayes · Virus Alerts · Contact Us · Website Design & Web-Based content management
Server190

http://www.zomix.com/zomix