RE: [Full-Disclosure] [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]
From: Dowling, Gabrielle (dowlingg_at_sullcrom.com)
To: "Gadi Evron" <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org> Date: Sun, 25 Jan 2004 02:54:01 -0500
Most corporations use content filtering that inspects the attachment object type, thus will block an exe that masquerades as a zip file. I hope others will chime in here as I've never had an opportinuty to test it, but I suspect that it would be tremendously difficult if not impossible for files with this extension to executw on a asingle click.
Why are yiu suggesting that this is a pssible "outbreak", and what exactly do you mean by that?
Dumaru has been around for a while now, but I'm not aware of it being any particular problem for corporations, and it doesn't really seem to have a payload other than self mailing in environments where a self contained smtp engine can mail out over port 25.
Also, why we have a significant problem with nomenclature AV wise in general, these days I have a problem with calling a mass mailer a worm. Why don't you just call it. Mass mailer?
If anyone has curiosity about mass mailer prevalence, www.messagelabs.com/viruseye is a good place to look.
From: Gadi Evron [mailto:email@example.com]
Sent: Sat Jan 24 08:07:06 2004
To: firstname.lastname@example.org; email@example.com
Subject: [Full-Disclosure] [Fwd: [TH-research] Dumaru.J/Y Worm - Possible Outbreak]
A warning was issued earlier today from James Love regarding this new worm.
Most AV firms already posted something on it on their web sites.
This worm is a possible outbreak, how serious is not yet clear. If it
becomes a full-scale outbreak, we will post a follow-up.
It is important to note that this may hit beyond the private sector as
well, since many organizations allow .ZIP files.
See attached message.
This message is forwarded from the TH-Research mailing list, according
to the guidelines specified in the FAQ.
From: "Ken Dunham" <firstname.lastname@example.org>
Subject: [TH-research] Dumaru.J/Y Worm - Possible Outbreak
Date: Sat, 24 Jan 2004 05:21:20 -0700
Mail from "Ken Dunham" <email@example.com>
It's early on, but this new variant of Dumaru has potential as a ZIP
spreading worm that installs a Trojan. Details below acquired from multiple
Dumaru.J, aka Capegold, Worm Spreading in the Wild: Dumaru.J is a new
variant of the Dumaru worm that spreads via e-mail and installs a backdoor
Trojan horse. At least one vendor has attributed the origin of this new
Dumaru worm to Russia. E-mails sent by Dumaru.J have the following
From: Elene <FUCKENSUICIDE@HOTMAIL.COM>
Important information for you. Read it immediately !
Here is my photo, that you asked for yesterday
Attachment: myphoto.zip (17,613 bytes)
Note that when unzipped, myphoto.zip installs myphoto.jpg56 SPACES.exe
(17,370 bytes). The MD5 value for myphoto.zip is
0a62594d6617fffe57aba9ebe5733998 while the MD5 value for the myphoto.jpg56
SPACES.exe file is 7b126cd0910619e998499a077ed8f108.
More than 200 interceptions of the aforementioned e-mail have been
discovered at the time of this writing.
If Dumaru.J is executed, it attempts to create a copy of itself in the
Windows System directory as both l32x.exe and vxd32v.exe. Dumaru.J attempts
to save the file rundllx.sys in the Windows directory. Dumaru.J also
attempts to save a copy of itself in the Windows Startup directory as
dllxw.exe. Dumaru.J creates the file zip.tmp in the Windows Temp directory
as a copy of the worm it e-mails to target addresses. The Windows registry
is modified to run the Trojan upon Windows startup:
load32=C:\WINDOWS SYSTEM DIRECTORY\l32x.exe
Dumaru.J may also attempt to create the following registry key:
On Microsoft Corp. Windows NT/2000/XP/2003 computers, Dumaru.J attempts to
modify the following registry key:
Explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe
The Dumaru.J worm also modifies the file system.ini to run the worm upon
Shell=explorer.exe C:\WINDOWS SYSTEM DIRECTORY\vxd32v.exe
Win.ini may also be modified by the worm to run itself upon Windows startup:
Dumaru.J attempts to search for e-mail addresses in .abd, .dbx, .htm, .html,
.tbb and .wab files. Once installed, Dumaru.J may listen on TCP port 10,000
for commands from a remote attacker. Once connected, an attacker is able to
log keystrokes, capture clipboard information, modify local settings,
perform file management, install additional malicious code and perform other
Alias: Dumaru.J, Dumaru, W32/Capegold-mm, Capegold, Dumaru.Y,
Sources: AVIEN, Jan. 24, 2004
Network Associates Inc./McAfee.com
(http://vil.nai.com/vil/content/v_100980.htm), Jan. 24, 2004
l), Jan. 24, 2004
F-Secure Corp. (http://www.f-secure.com/v-descs/dumaru_y.shtml), Jan. 24,
2EY%2Dmm), Jan. 24, 2004
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list
-- Gadi Evron, firstname.lastname@example.org. The Trojan Horses Research mailing list - http://ecompute.org/th-list My resume (Hebrew) - http://www.math.org.il/resume.rtf PGP key for email@example.com - http://vapid.reprehensible.net/~ge/Gadi_Evron.asc Note: this key is used mainly for files and attachments, I sign email messages using: http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html