Alert - Windows users: Mass-mailer with backdoor component

Aug 25 2003

Antivirus Information

The Dumaru worm arrives in an email pretending to be a security patch from Microsoft. In reality, it is a mass-mailing email worm that installs a backdoor component onto infected systems.
The Dumaru worm's email arrives as follows:

From: Microsoft
Subject: Use this patch immediately !

Body of the email:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Attachment: patch.exe

The Dumaru takes advantage of hair-trigger alert notifications in many antivirus and filtering products.
Advertisement

Rather than recognizing the infected email as a mass-mailing worm and simply discarding it, many popular security solutions send notifications to the sender, recipient, and/or system administrator. Dumaru falsifies the header information contained in the email, directing the Return-Path as follows:

Return-Path: <admin@duma.gov.ru>

This effectively launches an email Denial of Service (DoS) attack against the mail servers at duma.gov.ru. To prevent this attack, administrators should disable the sending of email notifications to alleged senders.

Dumaru installs a backdoor Trojan, Narod.A providing backdoor access to infected systems.

According to antivirus vendor Trend Micro the Dumaru worm also contains a viral component that infects PE_EXE files on the root of the local drive. For this reason, manual removal of the worm is not recommended. Instead, use antivirus software updated after August 19, 2003 to detect and disinfect Dumaru. A full technical description of the Dumaru worm's impact can be found here.