Don't Believe Your Browser - It Could Be Dumaru
26 Jan 2004
Kaspersky Lab, a leading information security software developer, warns users about three new modifications of Dumaru, an email worm: versions j, k and l. The unusual propagation techniques and high dissemination rate have resulted in infections worldwide, causing a new global outbreak.
Dumaru was first detected in September 2003 and has remained among the most active malicious programs ever since. The original worm was written in Russia, but subsequent versions appears to come from Germany.
The latest versions of Dumaru contain only minor modifications. However, the multi-tier propogation method used to disseminate the malicious program has caused a worldwide outbreak within a matter of days.
Initial propagation was assured by the mass mailing of a message purportedly originating from Microsoft in which users were offered updates to their virus protection.
In reality, the message contains the Trojan program UrlSpoof. Once the link in the letter is activated, a new Internet window opens onto a Microsoft look-alike web site. Moreover, "UrlSpoof" utilizes a vulnerability in Internet Explorer, which allows the worm to display www.microsoft.com in the address bar, even though the user is actually on another site.
While the user is browsing this site, the victim machine is transformed into a Dumaru carrier and the worm then initiates the mailing process from the new computer.
"This outbreak has once again demonstrated that virus writers and spammers are joining forces", comments Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, "Viruses are using spamming techniques more and more in order to increase propagation speed, whereas spammers are using viruses to create networks of infected machines for use in mass mailing campaigns".
Kaspersky Lab anti-virus databases have already been updated with protection against the new versions of Dumaru.
A detailed description of these versions of Dumaru can be found in the Kaspersky Virus Encyclopedia