Password-stealing Dumaru worm on the loose

IT managers and computer users have been warned to watch out for a new email worm that attempts to steal users' passwords.

This worm, which is the latest version of the Dumaru virus, was first detected on Friday. Antivirus vendors are split between calling this variant Dumaru.Y or Dumaru.J (depending how many previous variants they have detected and named since the first version first appeared in August 2003), but there is consensus that users who make the mistake of opening the worm's payload could unwittingly reveal important passwords.

Security firm MessageLabs said on Monday that it is treating the worm as high risk, based on the number of copies it has intercepted.

Dumaru.J/Y arrives in a user's inbox as an email with the subject line of "Important information for you. Read it immediately!", sent from "fuckensuicide@hotmail.com". It comes with an attachment called myphoto.zip, which contains an executable file.

If run, this program will harvest email addresses from the user's local address book and forward copies of itself to them.

More worryingly, experts say that the worm could allow the virus writer to take control of the PC at a later date, by secretly opening up a network port. Even more damaging, potentially, is the fact that Dumaru.J/Y is thought to monitor a user's key strokes.

According to Paul Wood, chief information security analyst at MessageLabs, Dumaru.J/Y is thought to be listening out for the passwords of people using the eGold electronic currency service.

Because the virus includes a zipped attachment, rather than an executable one, it is more likely to penetrate a network security system that has been set up to repel viruses. Such systems often block .exe files, but usually allow .zip files through.

To activate Dumaru.J/Y, a user would have to unzip the application and then run the unzipped file. The name of the unzipped file includes a large number of spaces to hide the final .exe and to make it look, at a glance, like a JPEG graphic.

Messagelabs had detected 14,000 copies of Dumaru.J/Y by early Monday morning, UK time, and was expecting to see a surge in activity once American computer users came online later in the day. It is still also detecting a high level of Dumaru.A activity.

All the major antivirus vendors are thought to have updated their signature files to defend against this latest Dumaru variant, but companies would be advised to ensure that their staff understand the risks posed by viruses.

"You should never open an attachment from any email address you don't recognise. Given that some virus writers are spoofing their emails, people should be very cautious even if an email appears to come from a reputable company," explained Wood.

Graeme Wearden writes for ZDNet UK