Dumaru.B is a file infector and a mass-mailer worm which tries to disguise itself as a security patch coming from Microsoft. The worm drops an IRC-controlled backdoor component to the infected system.
Disinfection & Removal
Dumaru.B is packed with an unmodified version of UPX. The unpacked size of the worm is 61440 bytes.
When first run the worm infects the system by placing several of its copies in the system.
One copy goes to the System Directory as 'load32.exe' which is added to the registry as
The next one is copied to the current user's startup folder as 'rundllw.exe'.
Another copy of the worm is placed to the Windows Directory using the file name 'dllreg.exe' and added to 'win.ini' as follows:
Fourth one is copied to System Directory as 'vxdmgr32.exe' which is registered to 'system.ini':
[Boot] Shell=explorer vxdmgr32.exe
The backdoor is dropped to the Windows directory as 'windrv.exe' and started. This file is detected by F-Secure Anti-Virus as Backdoor.Small.d.
A keylogger is dropped to the Windows Directory as 'guid32.dll'.
Dumaru.B uses its own SMTP engine to send emails with infected attachments. The worm searches for email addresses on all drives recursively in files with the following extensions:
.htm .wab .html .dbx .tbb .abd
Using its SMTP engine Dumaru.B sends infected emails to the addresses it collected. The infected emails have the following appearance:
From: "Microsoft" <firstname.lastname@example.org> Subject: Use this patch immediately ! Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! Attachment: patch.exe
The email addresses the worm collects are written to a file called 'winload.log' in the Windows Directory.
If the infected system is installed on NT Filesystem Dumaru.B tries to infect EXE files with a companion method using the streams feature of NTFS. The original file content is copied to 'filename.exe:STR' stream and the file 'filename.exe' is overwritten with a copy of the virus. When 'filename.exe' is invoked the worm executes 'filename.exe:STR' instead.
Dumaru.B opens several ports with different different services.
On port 10000 it opens an FTP server that provides full access to all files on all the physical and mapped drives of the infected computer.
On port 1001 a custom backdoor component is listening that accepts text commands with different functionality:
- executing arbitrary commands
- take a screenshot
- open/close CD tray
- play sound
- display a message box:
On port 2283 Dumaru.B implements a generic TCP Proxy/bouncer an attacker can use to connect to other hosts through the infected computer.
Apart from spreading and backdoor functionality Dumaru.B collects considerable amount of sensitive data and sends it to a predefined address in email.
- Far Manager passwords
- ID list for the site WebMoney.ru
- Passwords and wallet information for WebMoney.ru which is collected from *.kwm files
- Keystrokes collected by the keylogger and stored in a file called 'vxdload.log'
- Content of the clipboard which is captured and stored in 'rundllx.sys' in Windows Directory
- Protected Storage Data which stores passwords for Internet Explorer, Outlook Express and similar programs.
To gather this data the worm drops a simple tool to the Windows Directory as 'winimg.exe' and uses it to dump the password list to 'rundllz.sys'.
Terminating security software
Dumaru enumerates the running processes and terminates the ones which have the following names:
ZAUINST.EXE ZAPRO.EXE ZONEALARM.EXE ZATUTOR.EXE MINILOG.EXE VSMON.EXE LOCKDOWN.EXE ANTS.EXE FAST.EXE GUARD.EXE TC.EXE SPYXX.EXE PVIEW95.EXE REGEDIT.EXE DRWATSON.EXE SYSEDIT.EXE NSCHED32.EXE MOOLIVE.EXE TCA.EXE TCM.EXE TDS-3.EXE SS3EDIT.EXE UPDATE.EXE ATCON.EXE ATUPDATER.EXE ATWATCH.EXE WGFE95.EXE POPROXY.EXE NPROTECT.EXE VSSTAT.EXE VSHWIN32.EXE NDD32.EXE MCAGENT.EXE MCUPDATE.EXE WATCHDOG.EXE TAUMON.EXE IAMAPP.EXE IAMSERV.EXE LOCKDOWN2000.EXE SPHINX.EXE WEBSCANX.EXE VSECOMR.EXE PCCIOMON.EXE ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE FRW.EXE BLACKICE.EXE BLACKD.EXE WRCTRL.EXE WRADMIN.EXE WRCTRL.EXE PCFWALLICON.EXE APLICA32.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE CFINET.EXE TDS2-98.EXE TDS2-NT.EXE SAFEWEB.EXE NVARCH16.EXE MSSMMC32.EXE PERSFW.EXE VSMAIN.EXE LUALL.EXE LUCOMSERVER.EXE AVSYNMGR.EXE DEFWATCH.EXE RTVSCN95.EXE VPC42.EXE VPTRAY.EXE PAVPROXY.EXE APVXDWIN.EXE AGENTSVR.EXE NETSTAT.EXE MGUI.EXE MSCONFIG.EXE NMAIN.EXE NISUM.EXE NISSERV.EXE
F-Secure Anti-Virus detects this worm variant with:
Detection Type: PC
Technical Details: Gergely Erdelyi, 2nd of September, 2003