New worm targets online payment system

A new worm targeting another online payment service is spreading rapidly via email.

Dumaru-Y installs a keystroke logger and backdoor on infected PCs and targets user information for an online payment service called e-gold.com, according to Symantec's Security Response Centre.

In a statement the Centre said: "The worm may harvest passwords for a variety of applications, however it does specifically target those for www.e-gold.com.

"For any webform on this site, the worm will begin logging all keystrokes. This appears to be an attempt by the author of this worm to steal e-gold accounts."

Dumaru-Y is spread via a .zip compressed file named 'myphoto.jpg.exe'. The worm affects Windows Server 2003, Windows 2000, NT, XP, 98, 95 and ME. It was first detected on Sunday evening in the US.

Infected emails come with the header 'Important information for you. Read it immediately!' and the message 'Hi! Here is my photo, that you asked for yesterday.'

If the .zip file is opened Dumaru scans the PC for any email addresses and mails itself forward using its own SMTP engine.

The active payload creates a tool that intercepts keystrokes, known as a WindowsHook.

Some data typed into applications and web forms can be stored on the infected machine in a file named vxdload.log, and all information related to e-gold accounts is stored.

Any information copied onto the Clipboard is stored in a file called rundllx.sys. Once the log files are large enough they are emailed to an unknown address.

Dumaru also installs two backdoors using ports 2283 and 10000 that allow the PC to be remotely controlled by hackers, or used as a relay in distributed denial of service attacks.

Administrators are advised to block all .zip files at the firewall for protection. Virus signatures are available for download from most antivirus companies.

This is not the first worm to target online payment services. A variant of MiMail was released two months ago that targeted similar payment systems, and experts are warning that virus writers are increasingly looking to profit from their creations.