A new version of the dangerous Dumaru worm surfaced this weekend, and enterprise administrators are warned that this version creates a Windows Hook that logs keystrokes and opens two backdoors
Dumaru-Y can be contained, however. The worm travels compressed in a zip file as a .exe file. Blocking these executables and others that have no business merit should prevent infections. Most administrators have adopted this as a best practice.
The worm affects Windows Server 2003, Windows 2000, NT, XP, 98, 95 and ME systems via an e-mail with the subject line: "Important information for you. Read it immediately !" The message promises photos of a woman and the attachment is called "myphoto.jpg.exe. It is important to note that there are 56 spaces between .jpg and .exe in the attachment's file name.
If executed, the worm searches files on the hard drive for e-mail addresses to mail itself to potential new victims via a self-contained SMTP engine.
It also creates a WindowsHook, which according to Microsoft is a tool that intercepts messages, keystrokes, mouse actions and other events before they reach an application. WindowsHook can take actions against these events and sometimes modify or delete them.
Dumaru's WindowsHook can steal passwords as they are typed into Web forms and applications and logs them in a file called vxdload.log. Symantec Security Response said Dumaru is targeting passwords for the e-gold.com site in an attempt to steal accounts. E-gold is an online payment service.
The worm also starts an infinite loop looking for an Internet connection from the infected computer. Once a connection is found, the worm begins listening on TCP port 10000 and TCP port 2283. An attacker could in theory access a system via these two ports and either gain control of it, or use it as a relay. The worm also has the capability of mailing out its password logs to a hard-coded e-mail address, a remote FTP server, once the log file reaches a pre-determined size.
Sophos LPC reports that Dumaru-Y copies itself to the Windows system folder as I32.exe and vxd32v.exe and to the startup folder as dllxw.exe. Also, in order to execute each time an infected system is started, the worm resets the registry to: HKLMSoftwareMicrosoftWindowsCurrentVersionRunload32 = l32x.exe. For Windows NT systems, the registry is set to: HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell= "explorer.exe" C:WindowsSystem32vxd32.exe.
Sophos adds that the worm changes the system.ini file by adding C:WINDOWSSYSTEMVXD32V.EXE" to the shell= line.