NEWS IT managers and computer users have been warned to watch out for a new email worm that attempts to steal users' passwords.
This worm, which is the latest version of the Dumaru virus, was first detected on Friday. Antivirus vendors are split between calling this variant Dumaru.Y or Dumaru.J (depending how many previous variants they have detected and named since the first version first appeared in August 2003), but there is consensus that users who make the mistake of opening the worm's payload could unwittingly reveal important passwords.
Security firm MessageLabs said on Monday that it is treating the worm as high risk, based on the number of copies it has intercepted.
Dumaru.J/Y arrives in a user's inbox as an email with the subject line of "Important information for you. Read it immediately!", sent from "fuckensuicide@hotmail.com". It comes with an attachment called myphoto.zip, which contains an executable file.
If run, this program will harvest email addresses from the user's local address book and forward copies of itself to them.
More worryingly, experts say that the worm could allow the virus writer to take control of the PC at a later date, by secretly opening up a network port. Even more damaging, potentially, is the fact that Dumaru.J/Y is thought to monitor a user's key strokes.
According to Paul Wood, chief information security analyst at MessageLabs, Dumaru.J/Y is thought to be listening out for the passwords of people using the eGold electronic currency service.
Because the virus includes a zipped attachment, rather than an executable one, it is more likely to penetrate a network security system that has been set up to repel viruses. Such systems often block .exe files, but usually allow .zip files through.
To activate Dumaru.J/Y, a user would have to unzip the application and then run the unzipped file. The name of the unzipped file includes a large number of spaces to hide the final .exe and to make it look, at a glance, like a JPEG graphic.
Messagelabs had detected 14,000 copies of Dumaru.J/Y by early Monday morning, UK time, and was expecting to see a surge in activity once American computer users came online later in the day. It is still also detecting a high level of Dumaru.A activity.
All the major antivirus vendors are thought to have updated their signature files to defend against this latest Dumaru variant, but companies would be advised to ensure that their staff understand the risks posed by viruses.
"You should never open an attachment from any email address you don't recognise. Given that some virus writers are spoofing their emails, people should be very cautious even if an email appears to come from a reputable company," explained Wood.
Graeme Wearden writes for ZDNet UK
Comments
There are 3 comments. Join the discussion
1. Don Tregartha
While there are fools we'll have viruses.
2. James Tweedie
Agree with Don here. I cannot understand why 14,000 people deliberately extracted a .zip file from an email address "fuckensuicide@hotmail.com" and a subject line that is obviously a spam-line or similar.
Or does Microsoft Outlook or Outlook Express automatically and helpfully open the email attachments?
We have a company ban on Outlook for emails - we use Pegasus which does NOT open attachments or run any html or other code.
Maybe there should be a computer license (like car license) so that people cannot own a computer until they've passed the test!
3. Jan S. Krogh
Thanks for your extensive and interesting information! Virus makers, much more than Mr. Bush' socalled "terrorists" from Iraq and Afghanistan, should be deported to Guantanamo Bay and kept there until they had written 1 billion times:
"I promise I will never a virus anymore", "I promise I will never a virus anymore", "I promise I will never a virus anymore" etc.