Blog | News | Jobs
virus alert
virus
News centre
KnowledgeBANK
More from vnunet.com
ADVERTISEMENT

New worm targets online payment system

Dumaru-Y spreads via .zip file named 'myphoto.jpg.exe'

By Iain Thomson 26 Jan 2004

A new worm targeting another online payment service is spreading rapidly via email.

Dumaru-Y installs a keystroke logger and backdoor on infected PCs and targets user information for an online payment service called e-gold.com, according to Symantec's Security Response Centre.

In a statement the Centre said: "The worm may harvest passwords for a variety of applications, however it does specifically target those for www.e-gold.com.

"For any webform on this site, the worm will begin logging all keystrokes. This appears to be an attempt by the author of this worm to steal e-gold accounts."

Dumaru-Y is spread via a .zip compressed file named 'myphoto.jpg.exe'. The worm affects Windows Server 2003, Windows 2000, NT, XP, 98, 95 and ME. It was first detected on Sunday evening in the US.

Infected emails come with the header 'Important information for you. Read it immediately!' and the message 'Hi! Here is my photo, that you asked for yesterday.'

If the .zip file is opened Dumaru scans the PC for any email addresses and mails itself forward using its own SMTP engine.

The active payload creates a tool that intercepts keystrokes, known as a WindowsHook.

Some data typed into applications and web forms can be stored on the infected machine in a file named vxdload.log, and all information related to e-gold accounts is stored.

Any information copied onto the Clipboard is stored in a file called rundllx.sys. Once the log files are large enough they are emailed to an unknown address.

Dumaru also installs two backdoors using ports 2283 and 10000 that allow the PC to be remotely controlled by hackers, or used as a relay in distributed denial of service attacks.

Administrators are advised to block all .zip files at the firewall for protection. Virus signatures are available for download from most antivirus companies.

This is not the first worm to target online payment services. A variant of MiMail was released two months ago that targeted similar payment systems, and experts are warning that virus writers are increasingly looking to profit from their creations.

See also:

Worm mutants spoof Internet Explorer
Alarm bells ring again as Dumaru worm launches bogus Microsoft website  28 Jan 2004

All Enterprise Security Technology

Like this story? Spread the news by clicking below:

Post this to Delicious del.icio.us    Post this to Digg Digg this    Post this to reddit reddit!

Permalink for this story
RELATED ARTICLES

Other websites
Accountancy Age
Active Home
Best Practice
Computeractive
Computing
CRN
Financial Director
Information World Review
Management Consultancy
Personal Computer World
vnunet.com
Useful links: About us . Privacy policy . Terms & conditions . Advertise
UK Subscriptions
Overseas Subscriptions
© Incisive Media Ltd. 2009
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503