Worm mutants spoof Internet Explorer

Alarm bells ring again as Dumaru worm launches bogus Microsoft website

Robert Jaques, vnunet.com 28 Jan 2004

MyDoom.A is not the only virus users should be aware of, as three mutant modifications of the recently discovered Dumaru worm were identified in the wild.

Versions J, K and L of the email worm are rapidly creating a fresh global outbreak, despite using much the same techniques as the original infections, security firm Kaspersky Labs has warned.

Key to its spread is the worm's multi-tier propagation method. Initial dissemination is achieved by the mass mailing of a message purportedly from Microsoft in which users are - somewhat ironically - offered updates to their virus protection.

But in reality the message contains a Trojan URL spoof which, once activated, pops up an Internet Explorer window with a spoofed Microsoft website.

To make this site appear genuine the URL spoof uses a vulnerability in Explorer that allows the worm to display www.microsoft.com in the address bar, even though the user is actually at another site.

While the user is browsing this bogus site, the compromised PC is transformed into a Dumaru carrier from which the worm initiates its mailing process.

"This outbreak has once again demonstrated that virus writers and spammers are joining forces," said Eugene Kaspersky, head of antivirus research at Kaspersky Labs, in a statement.

"Virus [writers] are using spamming techniques more and more in order to increase propagation speed, [and] spammers are using viruses to create networks of infected machines for use in mass-mailing campaigns."

Although Dumaru was first detected late last year it has remained among the most active malicious programs ever since, according to Kaspersky.

The original worm was written in Russia, but subsequent versions which contain only minor modifications appear to come from Germany.

See also: