One of our own is currently having an issue with a worm that seems very similar to the W32/Dumaru worm from January 2004. The 2004 variant was a keylogger worm with its own SMTP engine and arrived via an email attachement called:
Myphoto.zip [48 spaces] .exe
The new version (if it is at all related) appears to be spread via MSN and the worm repeatedly tries to send the above file to everyone in the infected machine's MSN address book. The file name under MSN simply shows up as
Myphoto.zip (58KB)
I cannot find any information about this particular variant of W32/Dumaru or indeed if it is a brand new worm.
Does anyone have any information about this or can anyone help?
TL.
Sounds very similar to the transmission of the W32/Bropia worm?
TL.
All the info is for the older variants, with a smaller payload size.
I'd submit a sample to the big AV names, though they won't update your product if you're not using theirs.
Yep, can do that, but I'd rather have that happen from the source machine (which is not mine) and not deliberately accept it onto my own systems. Will pass that recommendation back to source.
TL.
Seems it does 2 things Paul;
Port 2283 seems to be opend as a TCP-proxy, meanwhile through port 10.000 an ftp-server is up that gives acces to all the files on the harddrive from a PC.
Here is some info for Dumaru;
http://www.pchell.com/virus/dumaruy.shtml
http://antivirus.about.com/cs/allabout/a/dumaruy.htm
http://antivirus.about.com/cs/virusencyclopedia/p/dumaruz.htm
Will see if I can find some more interesting articles which might help out.
Well a virus scan this morning discovered 'something' with a 'D' in the name, but the log was deleted so we'll never know what it was :doh:
Case closed. Move along please, nothing to see here......
TL.
/Doorman puts hand up. Twas me. Scanned again, checked running processes, checked registry, startup folder er...that's it. No sign of any beasties. Good work TL and Duvel. Good links, top advice. :thumb:
Quote from: TeaLeaf;191906...discovered 'something' with a 'D' in the name...
TL.
Quote from: Doorman;191924/Doorman puts hand up. Twas me.
:roflmao:
:roflmao:
Quote from: Blunt;191926
D, Doorman, I get it!:roflmao:
Small update. Whilst one virus was found and removed, the original still appears to be there - so if you get any MSN file transfers at the moment do not accept!
From research it appears to be an English (badly translated) variant of the orignal Spanish W32/MsnPhoto.A.worm. This was first picked up about 20th May so is a pretty new one. None of the AV sites as yet carry any info about other variants.
Ron is currently installing a commercial AV package in the hope of finding the little bar steward. When active and MSN is logged in then Ron does not get to control MSN and he cannot shut down MSN via task manager. It's a nasty little bugger :sad:
TL.
Another update: Scanned with McAfee (cheers BFC) and that found AOO14418.exe with which it took exception to. I then did a search for myphoto.zip and it was found in C:\RECYCLERS. I scanned it and it showed up clean. I've deleted it anyway. I'm now scared to start up MSN Messenger (Good thing, I hear some of you cry)
Point of order, Is not RECYCLERS the recycle bin? No? :getmecoat:
Quote from: Doorman;191968Another update: Scanned with McAfee (cheers BFC) and that found AOO14418.exe with which it took exception to. I then did a search for myphoto.zip and it was found in C:\RECYCLERS. I scanned it and it showed up clean. I've deleted it anyway. I'm now scared to start up MSN Messenger (Good thing, I hear some of you cry)
Point of order, Is not RECYCLERS the recycle bin? No? :getmecoat:
What AV package do you normally run Ron?
Quote from: BlueBall;191973What AV package do you normally run Ron?
Avast 4 freebie type home deal.
Quote from: Doorman;191968Point of order, Is not RECYCLERS the recycle bin? No? :getmecoat:
I don't know where the recycle bin is, but I do not have that folder on my PC.
TL.
Quote from: TeaLeaf;192003I don't know where the recycle bin is, but I do not have that folder on my PC.
You should have it - but it is a hidden system folder, so unless you have checked the options to show that kind of stuff, you won't see it.
But I saw that Ron wrote RECYCLERS, and not RECYCLER. If it's just a typo, that it's not a big deal - the latter is the recycle bin folder.
If it on the other hand
weren't a typo, than something fishy might be going on...
c:\recycler
d:\recycler
etc
hidden system file that seems to be the recycle bin. My recycle bin disappeared from the desktop yesterday. A system restore seemed to sort that out. Most of the forum help I found online wasn't terribly helpful though I think it may have been a corrupted registry entry or something.
System restore is back on! :)
Quote from: Doorman;191996Avast 4 freebie type home deal.
get NOD32 from www.eset.co.uk (http://www.eset.com)
i have it on my 3 PCs on a 3 year purchase which works out at about £14/year per PC. It is an absolutely excellent anti virus product.
Quote from: TeaLeaf;192003I don't know where the recycle bin is, but I do not have that folder on my PC.
TL.
It's a hidden system file.
One cannot stress enough that file transfers from unknown sources should never be opened......regardless of how big a mammary size is boasted.....you only have yourselves to blame!!
Oh, and Benny of course, for corrupting your poor minds at the LANS!!:woot2: :norty: :devil:
Quote from: Dingo;192060One cannot stress enough that file transfers from unknown sources should never be opened......regardless of how big a mammary size is boasted.....you only have yourselves to blame!!
Oh, and Benny of course, for corrupting your poor minds at the LANS!!:woot2: :norty: :devil:
It was only a full working demo of WINRAR for God's sake! How was I to know? I was saying to my old mate Long John Silver the other day 'Oh ar matey tha' can'st trust any bugger these days!' :ranting2:
hello :byebye:
I had EXACTLY the same problem ... searched with google and found lots of "smiler" problems but not exactly like the one I had =\ ...
anyway, earlier I did like what u did and deleted the files in "C:\RECYCLER" ...
(http://www.appsup.com/temp/OMG_I_have_a_virus_3.PNG)
and then I did an "in-depth analysis" with NOD32 ... now it's on 94% and seems that my pc is clean =)
by the way ... I used this method for deleting:
(http://www.appsup.com/temp/OMG_I_have_a_virus_8.PNG)
maybe it helped somehow... :)
and also deleted 2 files from windows startup:
(http://www.appsup.com/temp/OMG_I_have_a_virus_1_Edone.jpg)
that's all =) ... and sorry for posting lots of screen shots ^^; ...
best regards :byebye:
sLm,Saudi Arabia
I don't think you're out of the woods yet. I thought I was clean but a subsequent scan found the same worms. Take a look in C:\ and see if you have aabababab.exe, joe.exe, essay.exe, eaea.exe, getme.exe, abca.exe. Then check them out. I discovered they're nasty.(sorry about the techie talk) :) So I've deleted them and await another scan result after a reboot.
Ron- this is getting on my tits-Doorman
lol :rolleyes:
no I think I'm totally clean now :) ... I've been working on my pc yesterday and 2day and had no problems at all ^^ ...
also I didn't find the files you mentioned :) ...
in-depth scans for several programs reported that my machine is clean :D
that's all ^^ ... c ya
Would this be our miscreant?
http://vil.nai.com/vil/content/v_142395.htm
Very nearly. The only difference is it was myphotos.zip If it is ONLY MSN messenger, I've returned to Windows Messenger