Content

W32/Dumaru.a@MM

Type
Virus
SubType
E-mail worm
Discovery Date
08/19/2003
Length
9 kb
Minimum DAT
4287 (08/19/2003)
Updated DAT
4306 (11/26/2003)
Minimum Engine
5.1.00
Description Added
08/18/2003
Description Modified
04/13/2004 9:13 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 13th 2004 --
 The risk assessment of this virus has been lowered to Low-Profiled for home users due to decreased prevalence levels.

-- Update August 28th 2003 --
 The risk assessment of this virus has been raised to MEDIUM for home users due to increased prevalence levels.

Note: Detection has been available since the 4287 DATs. However improved repair (for customers with infections) is included in the 4290 DATs (release date 28th August 2003).

This mass mailing worm has been proactively detected with internal heuristics as "virus or variant of New Malware-b" with the 4.2.40 engine and 4239 DAT combination (or greater) since 12/23/2002.

Mass Mailing Component

The worm uses its own SMTP engine to email itself in the following format:

From: "Microsoft" security@microsoft.com
Subject: Use this patch immediately !
Attachment: patch.exe

The worm trawls the harddisk for files with extensions .htm .wab .html .dbx .tbb .abd for email addresses to send itself to. These email addresses are written to file winload.log .

Payload

A password stealer component is dropped by this worm, which is detected as PWS-Narod

Symptoms

The following registry keys maybe hooked to run the file at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "load32" = C:\%WINDIR%\load32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = explorer.exe C:\WINNT\System32\vxdmgr32.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    NT\CurrentVersion\Windows "run" = C:\WINDOWS\dllreg.exe

The worm copies itself to the following directories:

  • c:\%WINDIR%\dllreg.exe
  • c:\%SYSDIR%\load32.exe
  • c:\%SYSDIR%\vxdmgr32.exe
The PWS-Narod trojan is copied to the %WinDir% directory as windrv.exe

The win.ini file was also modified to execute the worm at startup:

  • c:\windows\system.ini, [boot] "shell" = explorer.exe C:\%SYSDIR%\vxdmgr32.exe
  • c:\windows\win.ini, [windows] "run"= C:\%WINDIR%\dllreg.exe
(Where %WINDIR% is C:\windows or C:\winnt and %SYSDIR% is C:\windows\system or C:\winnt\system)

Method of Infection

When an infected email attachment is run manually, the worm sends itself to email addresses harvested from files found on the local system that use the following extensions:

  • .htm
  • .wab
  • .html
  • .dbx
  • .tbb
  • .abd

These addresses are stored in a file named winload.log in the %WinDir%. The worm sends itself to these recipients as described above, via its own SMTP engine.

The worm can also parasitically infect exe files on NTFS volumes using streams.  The worm takes the place of the host file, while moving the original code to a stream named STR.  The virus executes its own code and then reads in the original exe from the stream.  When infecting through this method, it has been observed that the STR stream is not always created.  The original content of such files is not salvageable.

Removal

All Users
Detection was included in the 4287 DAT files . Repair requires the 4290 DAT files and the 4.2.60 scan engine.

Stand-alone Remover
 Stinger has been updated to detect and remove this threat.

Manual Removal Instructions

To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the processes:
      1. LOAD32.EXE
      2. VXDMGR32.EXE
      3. DLLREG.EXE
  2. Delete the following files:
    • %WinDir%\DLLREG.EXE 
    • %SysDir%\LOAD32.EXE
    • %SysDir%\VXDMGR32.EXE
  3. Edit the registry
    • Delete the "Load32" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
    • Edit the "Run" value in the following key from "C:\WINDOWS\DLLREG.EXE" to "":
      • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    • Edit the "Shell" value in the following key from "explorer.exe %sysdir%\vxdmgr32.exe" to "explorer.exe":
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

 Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Dumaru@mm (Symantec)
  • W32/Dumaru@MM
  • WORM_DUMARU.A (Trend)

Characteristics

Characteristics -

-- Update April 13th 2004 --
 The risk assessment of this virus has been lowered to Low-Profiled for home users due to decreased prevalence levels.

-- Update August 28th 2003 --
 The risk assessment of this virus has been raised to MEDIUM for home users due to increased prevalence levels.

Note: Detection has been available since the 4287 DATs. However improved repair (for customers with infections) is included in the 4290 DATs (release date 28th August 2003).

This mass mailing worm has been proactively detected with internal heuristics as "virus or variant of New Malware-b" with the 4.2.40 engine and 4239 DAT combination (or greater) since 12/23/2002.

Mass Mailing Component

The worm uses its own SMTP engine to email itself in the following format:

From: "Microsoft" security@microsoft.com
Subject: Use this patch immediately !
Attachment: patch.exe

The worm trawls the harddisk for files with extensions .htm .wab .html .dbx .tbb .abd for email addresses to send itself to. These email addresses are written to file winload.log .

Payload

A password stealer component is dropped by this worm, which is detected as PWS-Narod

Symptoms

Symptoms -

The following registry keys maybe hooked to run the file at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "load32" = C:\%WINDIR%\load32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = explorer.exe C:\WINNT\System32\vxdmgr32.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    NT\CurrentVersion\Windows "run" = C:\WINDOWS\dllreg.exe

The worm copies itself to the following directories:

  • c:\%WINDIR%\dllreg.exe
  • c:\%SYSDIR%\load32.exe
  • c:\%SYSDIR%\vxdmgr32.exe
The PWS-Narod trojan is copied to the %WinDir% directory as windrv.exe

The win.ini file was also modified to execute the worm at startup:

  • c:\windows\system.ini, [boot] "shell" = explorer.exe C:\%SYSDIR%\vxdmgr32.exe
  • c:\windows\win.ini, [windows] "run"= C:\%WINDIR%\dllreg.exe
(Where %WINDIR% is C:\windows or C:\winnt and %SYSDIR% is C:\windows\system or C:\winnt\system)

Method of Infection

Method of Infection -

When an infected email attachment is run manually, the worm sends itself to email addresses harvested from files found on the local system that use the following extensions:

  • .htm
  • .wab
  • .html
  • .dbx
  • .tbb
  • .abd

These addresses are stored in a file named winload.log in the %WinDir%. The worm sends itself to these recipients as described above, via its own SMTP engine.

The worm can also parasitically infect exe files on NTFS volumes using streams.  The worm takes the place of the host file, while moving the original code to a stream named STR.  The virus executes its own code and then reads in the original exe from the stream.  When infecting through this method, it has been observed that the STR stream is not always created.  The original content of such files is not salvageable.

Removal -

Removal -

All Users
Detection was included in the 4287 DAT files . Repair requires the 4290 DAT files and the 4.2.60 scan engine.

Stand-alone Remover
 Stinger has been updated to detect and remove this threat.

Manual Removal Instructions

To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the processes:
      1. LOAD32.EXE
      2. VXDMGR32.EXE
      3. DLLREG.EXE
  2. Delete the following files:
    • %WinDir%\DLLREG.EXE 
    • %SysDir%\LOAD32.EXE
    • %SysDir%\VXDMGR32.EXE
  3. Edit the registry
    • Delete the "Load32" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
    • Edit the "Run" value in the following key from "C:\WINDOWS\DLLREG.EXE" to "":
      • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    • Edit the "Shell" value in the following key from "explorer.exe %sysdir%\vxdmgr32.exe" to "explorer.exe":
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

 Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A