||||
Symantec.com > Security Response > Threats and Risks > W32.Dumaru.Z@mm
PRINT THIS PAGE

W32.Dumaru.Z@mm

Risk Level 2: Low

Printer Friendly Page

Discovered: January 25, 2004
Updated: February 13, 2007 12:16:38 PM
Also Known As: W32/Dumaru.z@MM [McAfee], Win32.Dumaru.Z [Computer Assoc, I-Worm.Dumaru.l [Kaspersky], WORM_DUMARU.Z [Trend]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP



W32.Dumaru.Z@mm is a multi-threaded, mass-mailing worm that downloads and runs a file, runs a keylogger, and attempts to steal personal information. This worm is similar to the W32.Dumaru.Y@mm worm.

The email has the following characteristics:

From: "Elene" <F**KENSUICIDE@HOTMAIL.COM> (censored)
Subject: Important information for you. Read it immediately !
Attachment: Myphoto.zip

The attachment is a zip file that contains the worm executable as myphoto.jpg  <spaces> .exe". (There are numerous spaces between ".jpg" and ".exe".)





A large number of email messages were sent purporting to be from Microsoft, with a link to a Web page. This email exploits a bug in Microsoft Internet Explorer so that, although the link appears to be to www.microsoft.com, it is actually a link to a Web page that contains a Visual Basic script, which drops W32.Dumaru.Z@mm onto your computer under the name C:\2.exe.

The email that was sent is an HTML email message with the following characteristics -

Note: This is not the email that the worm sent itself, but it is rather an email sent to deceive people into downloading the worm:


From: "Security-center" [security-center@microsoft.com]
Subject: Security warning
Message: MicroSoft News
Warning: a new virus, W32.Swen.A@mm, can infect your computer.

MicroSoft user,
this is the latest version of security update, the "January 2004, Cumulative Patch" udate which eliminates all known security vulnerabilities afecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to maintain the security of your computer from these vulnerabilities. This update includes the functionality of all previously released patches.

[text omitted]

[end of email text].

The message includes two links named "Go to Download page."


Protection

  • Initial Rapid Release version January 26, 2004
  • Latest Rapid Release version August 20, 2008 revision 017
  • Initial Daily Certified version January 26, 2004
  • Latest Daily Certified version January 20, 2009 revision 048
  • Initial Weekly Certified release date January 26, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 50 - 999
  • Number of Sites: More than 10
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High

Writeup By: Fergal Ladley
Search by name
Example: W32.Beagle.AG@mm
Learn more about Zero-Day / Operation Aurora / Hydraq
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS