Win32.Dumaru.B/C@mm

( W32.Dumaru.B/C | W32/Dumaru.b/c@MM | W32/Dumaru-B )
Ausbreitung : low
Schaden : medium
Size: 34,308 bytes (B@mm), 34,305 (C@mm)
Entdeckt : 2005 May 30

SYMPTOMS:

Presence of the next files in %WINDOWS% folder:

dllreg.exe
guid32.dll
windrive.exe
winimg.exe

Presence of the next files in %SYSTEM% folder:

load32.exe
vxdmgr32.exe

Presence of the next files in Startup folder:

rundllw.exe

Presence of the next registry keys or entries:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
"load32"="%SYSTEM%\load32.exe"

[HKLM\Software\SARS\"kwmfound"=0]

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to System folder on Windows 9x systems and System32 folder on WinNT systems.

TECHNICAL DESCRIPTION:

This mass mailer has backdoor abilities (listens on TCP ports 1001, 2283, 10000) and also comes with a keylogger.
Attempts to terminate processes belonging to several security and antivirus programs.
On NTFS partitions, it may overwrite .exe files with copies of the virus.

It spreads using this format:

From:
security@microsoft.com

Subject:
Use this patch immediately !

Body:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Attachment:
patch.exe


Once run, the virus does the following:

1. Creates the aforementioned files and registry keys/entries.

2. Attempts to terminate processes:

ZAUINST.EXE
ZAPRO.EXE
ZONEALARM.EXE
ZATUTOR.EXE
MINILOG.EXE
VSMON.EXE
LOCKDOWN.EXE
ANTS.EXE
FAST.EXE
GUARD.EXE
TC.EXE
SPYXX.EXE
PVIEW95.EXE
REGEDIT.EXE
DRWATSON.EXE
SYSEDIT.EXE
NSCHED32.EXE
MOOLIVE.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
SS3EDIT.EXE
UPDATE.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE W
GFE95.EXE
POPROXY.EXE
NPROTECT.EXE
VSSTAT.EXE
VSHWIN32.EXE
NDD32.EXE
MCAGENT.EXE
MCUPDATE.EXE
WATCHDOG.EXE
TAUMON.EXE
IAMAPP.EXE
IAMSERV.EXE
LOCKDOWN2000.EXE
SPHINX.EXE
WEBSCANX.EXE
VSECOMR.EXE
PCCIOMON.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
FRW.EXE
BLACKICE.EXE
BLACKD.EXE
WRCTRL.EXE
WRADMIN.EXE
WRCTRL.EXE
PCFWALLICON.EXE
APLICA32.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
CFINET.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
NVARCH16.EXE
MSSMMC32.EXE
PERSFW.EXE
VSMAIN.EXE
LUALL.EXE
LUCOMSERVER.EXE
AVSYNMGR.EXE
DEFWATCH.EXE
RTVSCN95.EXE
VPC42.EXE
VPTRAY.EXE
PAVPROXY.EXE
APVXDWIN.EXE
AGENTSVR.EXE
NETSTAT.EXE
MGUI.EXE
MSCONFIG.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE


3. On Windows 9x/Me systems, alters win.ini and system.ini in order to run at startup.

[windows]
run=%WINDOWS%\dllreg.exe

[boot]
shell=explorer.exe %SYSTEM%\vxdmgr32.exe


4. Harvests e-mail addresses by searching inside:

.htm
.wab
.html
.dbx
.tbb
.abd

and attempts to send itself using the e-mail format described above, using it's own SMTP engine and the default SMTP address.

5. Attempts to infect .exe files on NTFS partitions, but due to a bug in the search, it will only infect .exe file on the root of drives.

6. Connects to an IRC server, and joins a channel, listens on ports 1001, 10000 (TCP) for commands from an attacker. Also, port 2283 (TCP) is used as a send through (like a proxy).

7. Captures and logs the clippboard to %WINDOWS%\rundllx.sys

8. Captures and logs keystrokes (but also program name) to %WINDOWS%\vxdload.log

9. Attempts to connect to a ftp server and upload a .eml file that contains passwords and other informations.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Automatic removal

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antidumaru-EN.exe tool does the following:
  • it detects all the known Win32.Dumaru versions;

  • it kills the process from memory;

  • it deletes the files infected with or created by Win32.Dumaru;

  • it repairs the Windows registry and the .ini files.


    • You may also need to restore the affected files.

    Semiautomatic removal

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following key:
        [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
        "load32"="%SYSTEM%\load32.exe"

        [HKLM\Software\SARS\"kwmfound"=0]

    4. Reboot the computer;

    5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Dumaru.

    ANALYZED BY:

    Patrik Vicol BitDefender Virus Researcher