RE: [Full-Disclosure] [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]

From: Dowling, Gabrielle (
Date: 01/25/04

  • Next message: Gadi Evron: "Re: [Full-Disclosure] [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]"
    To: "Gadi Evron" <>, <>, <>
    Date: Sun, 25 Jan 2004 02:54:01 -0500


    Most corporations use content filtering that inspects the attachment object type, thus will block an exe that masquerades as a zip file. I hope others will chime in here as I've never had an opportinuty to test it, but I suspect that it would be tremendously difficult if not impossible for files with this extension to executw on a asingle click.

    Why are yiu suggesting that this is a pssible "outbreak", and what exactly do you mean by that?

    Dumaru has been around for a while now, but I'm not aware of it being any particular problem for corporations, and it doesn't really seem to have a payload other than self mailing in environments where a self contained smtp engine can mail out over port 25.

    Also, why we have a significant problem with nomenclature AV wise in general, these days I have a problem with calling a mass mailer a worm. Why don't you just call it. Mass mailer?

    If anyone has curiosity about mass mailer prevalence, is a good place to look.



     -----Original Message-----
    From: Gadi Evron []
    Sent: Sat Jan 24 08:07:06 2004
    Subject: [Full-Disclosure] [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]

    A warning was issued earlier today from James Love regarding this new worm.

    Most AV firms already posted something on it on their web sites.

    This worm is a possible outbreak, how serious is not yet clear. If it
    becomes a full-scale outbreak, we will post a follow-up.

    It is important to note that this may hit beyond the private sector as
    well, since many organizations allow .ZIP files.

    See attached message.

    This message is forwarded from the TH-Research mailing list, according
    to the guidelines specified in the FAQ.

            Gadi Ecvron

    From: "Ken Dunham" <>
    To: TH-Research
    Subject: [TH-research] Dumaru.J/Y Worm - Possible Outbreak
    Date: Sat, 24 Jan 2004 05:21:20 -0700

    Mail from "Ken Dunham" <>

    It's early on, but this new variant of Dumaru has potential as a ZIP
    spreading worm that installs a Trojan. Details below acquired from multiple

    Dumaru.J, aka Capegold, Worm Spreading in the Wild: Dumaru.J is a new
    variant of the Dumaru worm that spreads via e-mail and installs a backdoor
    Trojan horse. At least one vendor has attributed the origin of this new
    Dumaru worm to Russia. E-mails sent by Dumaru.J have the following

    Subject: Hi
    Important information for you. Read it immediately !
    Message: Hi
    Here is my photo, that you asked for yesterday
    Attachment: (17,613 bytes)

    Note that when unzipped, installs myphoto.jpg56 SPACES.exe
    (17,370 bytes). The MD5 value for is
    0a62594d6617fffe57aba9ebe5733998 while the MD5 value for the myphoto.jpg56
    SPACES.exe file is 7b126cd0910619e998499a077ed8f108.

    More than 200 interceptions of the aforementioned e-mail have been
    discovered at the time of this writing.

    If Dumaru.J is executed, it attempts to create a copy of itself in the
    Windows System directory as both l32x.exe and vxd32v.exe. Dumaru.J attempts
    to save the file rundllx.sys in the Windows directory. Dumaru.J also
    attempts to save a copy of itself in the Windows Startup directory as
    dllxw.exe. Dumaru.J creates the file zip.tmp in the Windows Temp directory
    as a copy of the worm it e-mails to target addresses. The Windows registry
    is modified to run the Trojan upon Windows startup:

    load32=C:\WINDOWS SYSTEM DIRECTORY\l32x.exe

    Dumaru.J may also attempt to create the following registry key:


    On Microsoft Corp. Windows NT/2000/XP/2003 computers, Dumaru.J attempts to
    modify the following registry key:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe

    The Dumaru.J worm also modifies the file system.ini to run the worm upon
    Windows startup:

    Shell=explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe

    Win.ini may also be modified by the worm to run itself upon Windows startup:


    Dumaru.J attempts to search for e-mail addresses in .abd, .dbx, .htm, .html,
    .tbb and .wab files. Once installed, Dumaru.J may listen on TCP port 10,000
    for commands from a remote attacker. Once connected, an attacker is able to
    log keystrokes, capture clipboard information, modify local settings,
    perform file management, install additional malicious code and perform other
    malicious actions.

    Alias: Dumaru.J, Dumaru, W32/Capegold-mm, Capegold, Dumaru.Y,
    W32.Dumaru.Y@mm, W32/Dumaru.y@MM

    Sources: AVIEN, Jan. 24, 2004
    Network Associates Inc./
    (, Jan. 24, 2004
    Symantec Corp.
    l), Jan. 24, 2004
    F-Secure Corp. (, Jan. 24,
    2EY%2Dmm), Jan. 24, 2004

    TH-Research, the Trojan Horses Research mailing list.
    List home page:

           Gadi Evron,
    The Trojan Horses Research mailing list -
    My resume (Hebrew) -
    PGP key for -
    Note: this key is used mainly for files and attachments, I sign email 
    messages using:
    Full-Disclosure - We believe in it.
    This e-mail is sent by a law firm and contains information
    that may be privileged and confidential. If you are not the 
    intended recipient, please delete the e-mail and notify us 
    Full-Disclosure - We believe in it.

  • Next message: Gadi Evron: "Re: [Full-Disclosure] [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]"

    Relevant Pages

    • FW: Actions for the Blaster Worm - Special Edition, TechNet Flash
      ... Actions for the Blaster Worm - Special Edition, ... You are receiving this message because you are a Microsoft newsletter ... Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory ... antivirus vendor and scan your machine. ...
    • Re: Cant apply KB835732 on various Win2k systems
      ... So these machines have the Sasser worm? ... Microsoft has learned about a worm identified as "W32.Sasser.worm" that is ... Windows XP Professional ... > AnalyzePhaseOne: used 7691 ticks ...
    • Safeguard Your PC Against the Downadup Worm
      ... Safeguard Your PC Against the Downadup Worm ... How to protect your PC from the biggest worm in years. ... Security experts say it's the biggest worm attack in years, ... Windows that Microsoft Corp. patched nearly four months ago. ...
    • [NEWS] A new Mass-Mailing and Backdoor Capable Worm Found in the Wild
      ... The worm uses the common auto-reply feature from an infected client to ... This directory varies with each version of Windows: ... It creates this registry entry to load the DLL file during startup: ... Message Body: Adult content!!! ...
    • Re: Installing a MS Patch killed my computer
      ... Best bet would've been to remove the worm before trying to install the ... patch - you're trying to lock the barn door after the cows have gotten out. ... Windows XP, Windows 2000, Windows Server 2003, Windows NT ... Symptoms of the virus: Some customer may not notice any symptoms at all. ...