Threat Description

Dumaru.B

Details

Aliases: Dumaru.B, W32.Dumaru.B@mm
Category: Malware
Type: Worm
Platform: W32

Summary



Dumaru.B is a file infector and a mass-mailer worm which tries to disguise itself as a security patch coming from Microsoft. The worm drops an IRC-controlled backdoor component to the infected system.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Dumaru.B is packed with an unmodified version of UPX. The unpacked size of the worm is 61440 bytes.

When first run the worm infects the system by placing several of its copies in the system.

One copy goes to the System Directory as 'load32.exe' which is added to the registry as

  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32'

The next one is copied to the current user's startup folder as 'rundllw.exe'.

Another copy of the worm is placed to the Windows Directory using the file name 'dllreg.exe' and added to 'win.ini' as follows:

[windows]
 Run=dllreg.exe


Fourth one is copied to System Directory as 'vxdmgr32.exe' which is registered to 'system.ini':

[Boot]
 Shell=explorer vxdmgr32.exe


The backdoor is dropped to the Windows directory as 'windrv.exe' and started. This file is detected by F-Secure Anti-Virus as Backdoor.Small.d.

A keylogger is dropped to the Windows Directory as 'guid32.dll'.

Email propagation

Dumaru.B uses its own SMTP engine to send emails with infected attachments. The worm searches for email addresses on all drives recursively in files with the following extensions:

.htm
 .wab
 .html
 .dbx
 .tbb
 .abd


Using its SMTP engine Dumaru.B sends infected emails to the addresses it collected. The infected emails have the following appearance:

From: "Microsoft" <security@microsoft.com>
 Subject: Use this patch immediately !

 Dear friend , use this Internet Explorer patch now!
 There are dangerous virus in the Internet now!
 More than 500.000 already infected!

 Attachment: patch.exe


The email addresses the worm collects are written to a file called 'winload.log' in the Windows Directory.

File infection

If the infected system is installed on NT Filesystem Dumaru.B tries to infect EXE files with a companion method using the streams feature of NTFS. The original file content is copied to 'filename.exe:STR' stream and the file 'filename.exe' is overwritten with a copy of the virus. When 'filename.exe' is invoked the worm executes 'filename.exe:STR' instead.

Backdoors

Dumaru.B opens several ports with different different services.

On port 10000 it opens an FTP server that provides full access to all files on all the physical and mapped drives of the infected computer.

On port 1001 a custom backdoor component is listening that accepts text commands with different functionality:

  • executing arbitrary commands
  • take a screenshot
  • open/close CD tray
  • play sound
  • display a message box:

On port 2283 Dumaru.B implements a generic TCP Proxy/bouncer an attacker can use to connect to other hosts through the infected computer.

Stealing data

Apart from spreading and backdoor functionality Dumaru.B collects considerable amount of sensitive data and sends it to a predefined address in email.

  • Far Manager passwords
  • ID list for the site WebMoney.ru
  • Passwords and wallet information for WebMoney.ru which is collected from *.kwm files
  • Keystrokes collected by the keylogger and stored in a file called 'vxdload.log'
  • Content of the clipboard which is captured and stored in 'rundllx.sys' in Windows Directory
  • Protected Storage Data which stores passwords for Internet Explorer, Outlook Express and similar programs.

To gather this data the worm drops a simple tool to the Windows Directory as 'winimg.exe' and uses it to dump the password list to 'rundllz.sys'.

Terminating security software

Dumaru enumerates the running processes and terminates the ones which have the following names:

ZAUINST.EXE
 ZAPRO.EXE
 ZONEALARM.EXE
 ZATUTOR.EXE
 MINILOG.EXE
 VSMON.EXE
 LOCKDOWN.EXE
 ANTS.EXE
 FAST.EXE
 GUARD.EXE
 TC.EXE
 SPYXX.EXE
 PVIEW95.EXE
 REGEDIT.EXE
 DRWATSON.EXE
 SYSEDIT.EXE
 NSCHED32.EXE
 MOOLIVE.EXE
 TCA.EXE
 TCM.EXE
 TDS-3.EXE
 SS3EDIT.EXE
 UPDATE.EXE
 ATCON.EXE
 ATUPDATER.EXE
 ATWATCH.EXE
 WGFE95.EXE
 POPROXY.EXE
 NPROTECT.EXE
 VSSTAT.EXE
 VSHWIN32.EXE
 NDD32.EXE
 MCAGENT.EXE
 MCUPDATE.EXE
 WATCHDOG.EXE
 TAUMON.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 LOCKDOWN2000.EXE
 SPHINX.EXE
 WEBSCANX.EXE
 VSECOMR.EXE
 PCCIOMON.EXE
 ICLOAD95.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICLOADNT.EXE
 ICSUPPNT.EXE
 FRW.EXE
 BLACKICE.EXE
 BLACKD.EXE
 WRCTRL.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 PCFWALLICON.EXE
 APLICA32.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFINET32.EXE
 CFINET.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 SAFEWEB.EXE
 NVARCH16.EXE
 MSSMMC32.EXE
 PERSFW.EXE
 VSMAIN.EXE
 LUALL.EXE
 LUCOMSERVER.EXE
 AVSYNMGR.EXE
 DEFWATCH.EXE
 RTVSCN95.EXE
 VPC42.EXE
 VPTRAY.EXE
 PAVPROXY.EXE
 APVXDWIN.EXE
 AGENTSVR.EXE
 NETSTAT.EXE
 MGUI.EXE
 MSCONFIG.EXE
 NMAIN.EXE
 NISUM.EXE
 NISSERV.EXE




Detection


F-Secure Anti-Virus detects this worm variant with:
Detection Type: PC
Database: 2003-08-30_02



Technical Details: Gergely Erdelyi, 2nd of September, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More