Threat Description

Dumaru.B

Details

Aliases: Dumaru.B, W32.Dumaru.B@mm
Category: Malware
Type: Worm
Platform: W32

Summary


Dumaru.B is a file infector and a mass-mailer worm which tries to disguise itself as a security patch coming from Microsoft. The worm drops an IRC-controlled backdoor component to the infected system.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Dumaru.B is packed with an unmodified version of UPX. The unpacked size of the worm is 61440 bytes.

When first run the worm infects the system by placing several of its copies in the system.

One copy goes to the System Directory as 'load32.exe' which is added to the registry as

  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32'

The next one is copied to the current user's startup folder as 'rundllw.exe'.

Another copy of the worm is placed to the Windows Directory using the file name 'dllreg.exe' and added to 'win.ini' as follows:

[windows]  Run=dllreg.exe   

Fourth one is copied to System Directory as 'vxdmgr32.exe' which is registered to 'system.ini':

[Boot]  Shell=explorer vxdmgr32.exe   

The backdoor is dropped to the Windows directory as 'windrv.exe' and started. This file is detected by F-Secure Anti-Virus as Backdoor.Small.d.

A keylogger is dropped to the Windows Directory as 'guid32.dll'.

Email propagation

Dumaru.B uses its own SMTP engine to send emails with infected attachments. The worm searches for email addresses on all drives recursively in files with the following extensions:

.htm  .wab  .html  .dbx  .tbb  .abd   

Using its SMTP engine Dumaru.B sends infected emails to the addresses it collected. The infected emails have the following appearance:

From: "Microsoft" [security@microsoft.com]  Subject: Use this patch immediately !   Dear friend , use this Internet Explorer patch now!  There are dangerous virus in the Internet now!  More than 500.000 already infected!   Attachment: patch.exe   

The email addresses the worm collects are written to a file called 'winload.log' in the Windows Directory.

File infection

If the infected system is installed on NT Filesystem Dumaru.B tries to infect EXE files with a companion method using the streams feature of NTFS. The original file content is copied to 'filename.exe:STR' stream and the file 'filename.exe' is overwritten with a copy of the virus. When 'filename.exe' is invoked the worm executes 'filename.exe:STR' instead.

Backdoors

Dumaru.B opens several ports with different different services.

On port 10000 it opens an FTP server that provides full access to all files on all the physical and mapped drives of the infected computer.

On port 1001 a custom backdoor component is listening that accepts text commands with different functionality:

  • executing arbitrary commands
  • take a screenshot
  • open/close CD tray
  • play sound
  • display a message box:

On port 2283 Dumaru.B implements a generic TCP Proxy/bouncer an attacker can use to connect to other hosts through the infected computer.

Stealing data

Apart from spreading and backdoor functionality Dumaru.B collects considerable amount of sensitive data and sends it to a predefined address in email.

  • Far Manager passwords
  • ID list for the site WebMoney.ru
  • Passwords and wallet information for WebMoney.ru which is collected from *.kwm files
  • Keystrokes collected by the keylogger and stored in a file called 'vxdload.log'
  • Content of the clipboard which is captured and stored in 'rundllx.sys' in Windows Directory
  • Protected Storage Data which stores passwords for Internet Explorer, Outlook Express and similar programs.

To gather this data the worm drops a simple tool to the Windows Directory as 'winimg.exe' and uses it to dump the password list to 'rundllz.sys'.

Terminating security software

Dumaru enumerates the running processes and terminates the ones which have the following names:

ZAUINST.EXE  ZAPRO.EXE  ZONEALARM.EXE  ZATUTOR.EXE  MINILOG.EXE  VSMON.EXE  LOCKDOWN.EXE  ANTS.EXE  FAST.EXE  GUARD.EXE  TC.EXE  SPYXX.EXE  PVIEW95.EXE  REGEDIT.EXE  DRWATSON.EXE  SYSEDIT.EXE  NSCHED32.EXE  MOOLIVE.EXE  TCA.EXE  TCM.EXE  TDS-3.EXE  SS3EDIT.EXE  UPDATE.EXE  ATCON.EXE  ATUPDATER.EXE  ATWATCH.EXE  WGFE95.EXE  POPROXY.EXE  NPROTECT.EXE  VSSTAT.EXE  VSHWIN32.EXE  NDD32.EXE  MCAGENT.EXE  MCUPDATE.EXE  WATCHDOG.EXE  TAUMON.EXE  IAMAPP.EXE  IAMSERV.EXE  LOCKDOWN2000.EXE  SPHINX.EXE  WEBSCANX.EXE  VSECOMR.EXE  PCCIOMON.EXE  ICLOAD95.EXE  ICMON.EXE  ICSUPP95.EXE  ICLOADNT.EXE  ICSUPPNT.EXE  FRW.EXE  BLACKICE.EXE  BLACKD.EXE  WRCTRL.EXE  WRADMIN.EXE  WRCTRL.EXE  PCFWALLICON.EXE  APLICA32.EXE  CFIADMIN.EXE  CFIAUDIT.EXE  CFINET32.EXE  CFINET.EXE  TDS2-98.EXE  TDS2-NT.EXE  SAFEWEB.EXE  NVARCH16.EXE  MSSMMC32.EXE  PERSFW.EXE  VSMAIN.EXE  LUALL.EXE  LUCOMSERVER.EXE  AVSYNMGR.EXE  DEFWATCH.EXE  RTVSCN95.EXE  VPC42.EXE  VPTRAY.EXE  PAVPROXY.EXE  APVXDWIN.EXE  AGENTSVR.EXE  NETSTAT.EXE  MGUI.EXE  MSCONFIG.EXE  NMAIN.EXE  NISUM.EXE  NISSERV.EXE   


Detection


F-Secure Anti-Virus detects this worm variant with:

Detection Type: PC
Database: 2003-08-30_02



Technical Details:Gergely Erdelyi, 2nd of September, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More