Content

W32/Dumaru.y@MM

Type
Virus
SubType
E-mail worm
Discovery Date
01/24/2004
Length
approx 17 Kb (FSG packed)
Note: file size may vary due to appended data.
Minimum DAT
4318 (01/26/2004)
Updated DAT
4606 (10/17/2005)
Minimum Engine
5.1.00
Description Added
01/24/2004
Description Modified
01/30/2004 11:05 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update January 30, 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update January 26, 2004 --
This threat has had its risk assessment upgraded to Medium from Low-Profiled. This is due to increased prevalence.

-- Update January 25, 2004 --
A new minor variant of this worm was received. The extra.dat file has been updated to deal with both threats - W32/Dumaru.y@MM and W32/Dumaru.z@MM

W32/Dumaru.z@MM is very similar to the y variant, the major differences being:

  • Filesize: approx 14,550 bytes
  • File download: this variant is intended to download a remote file (URL hard-coded in body). This remote file may change, but at the time of writing it was a variant of W32/Spybot.worm. This is written to disk as %SysDir%\NVIDIA32.EXE. This is detected as W32/Spybot.worm.gen with the 4288 DATs or greater.

The email message constructed is identical to that for the y variant.

-- Update January 24, 2004 --
The risk assessment of this threat was raised to Low-Profiled due to Media attention at http://antivirus.about.com/cs/allabout/a/dumaruy.htm

This detection is for a new variant of W32/Dumaru@MM. It bears similarities to its predecessors (for example W32/Dumaru.j@MM ).

This worm bears the following characteristics:

  • contains its own SMTP engine to construct messages
  • harvests target email addresses from the local machine

Additionally, the worm is also intended to steal data from the victim machine (eg. certain application passwords, keylogger data). This may be triggered via remote commands from the hacker.

Mail Propagation
 The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine - files matching the following extensions are searched:

  • .HTM
  • .WAB
  • .HTML
  • .DBX
  • .TBB
  • .ABD

The worm mails itself in a ZIP file. The ZIP contains the worm with the following filename:

  • MYPHOTO.JPG. (many spaces) .EXE

Messages are constructed with the following characteristics:

From: "Elene" (F (removed) ENSUICIDE@HOTMAIL.COM)
Subject: Important information for you. Read it immediately !
Attachment: MYPHOTO.ZIP
Body:
Hi!
Here is my photo, that you asked for yesterday.

For example (with offensive and target email removed):

Data Stealing
 The worm is intended to steal data from the victim machine. Keylogging functionality is targetted at capturing keystrokes during specific browser sessions - those related to online banking. The worm specifically targets e-gold.com users. Logged data is written to the file VXDLOAD.LOG.

Clipboard contents are also targetted by the worm. Contents are written to the file RUNDLLX.SYS.

These log contents are emailed to the hacker(s) using email addresses hard-coded in the worm.

  • anyname@btw.egold-hosting.com

Remote Access
 The worm listens on TCP ports 2283 and 10000 to allow a remote attacker to issue instructions to the worm (such as FTP commands).

Symptoms

Existence of the the following Registry key:

  • HKEY_LOCAL_MACHINE\Software\SARS

Existence of the files and Registry keys described in the "Method of Infection" section

Method of Infection

When executed, the worm copies itself multiple times onto the victim machine:

  • %WinDir%\RUNDLLX.SYS
  • %SysDir%\L32X.EXE
  • %SysDir%\VXD32V.EXE

Where %WinDir% is the Windows directory (eg. C:\WINNT) and %SysDir% is the Windows System directory (eg. C:\WINNT\SYSTEM32).

A copy is also dropped in the Windows startup folder, as DLLXW.EXE, for example:

  • c:\Documents and Settings\user2\Start Menu\Programs\Startup\dllxw.exe

The worm creates a ZIP file (containing the worm) with the filename ZIP.TMP in the following directory:

  • %WinDir%\TEMP\ZIP.TMP

The following Registry hook is added to hook system startup (9x and NT):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "load32" = %SysDir%\L32X.EXE

On NT/2k systems the following key is modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon "Shell"

from:

Explorer.exe

to:

explorer.exe %SysDir%\VXD32V.EXE

The WIN.INI and SYSTEM.INI system files are also modified to hook system startup. The following entry is added to WIN.INI:

[windows]
"run" = %WinDir%\RUNDLLX.SYS

The following key is modified in SYSTEM.INI:

[boot]
"shell" = Explorer.exe

is modified to:

"shell" = explorer.exe %SysDir%\VXD32V.EXE

Unlike some previous variants, this variant does not have a parasitic infection component (via NTFS streams).

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger has been updated to detect and remove this threat.  Stinger is not required for McAfee users to clean an infected system as the products contain the same level of repair.

Additional Windows ME/XP removal considerations

McAfee Security Threatscan:
ThreatScan signatures that can detect the W32/Dumaru.y@MM virus are available.

Variants

Variants

  • W32/Dumaru.z@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • CapeGold
  • W32.Dumaru.Y@mm (NAV)
  • W32/Dumaru.z@MM
  • Win32/ZHymn (CAI)
  • WORM_DUMARU.Y (Trend)

Characteristics

Characteristics -

-- Update January 30, 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update January 26, 2004 --
This threat has had its risk assessment upgraded to Medium from Low-Profiled. This is due to increased prevalence.

-- Update January 25, 2004 --
A new minor variant of this worm was received. The extra.dat file has been updated to deal with both threats - W32/Dumaru.y@MM and W32/Dumaru.z@MM

W32/Dumaru.z@MM is very similar to the y variant, the major differences being:

  • Filesize: approx 14,550 bytes
  • File download: this variant is intended to download a remote file (URL hard-coded in body). This remote file may change, but at the time of writing it was a variant of W32/Spybot.worm. This is written to disk as %SysDir%\NVIDIA32.EXE. This is detected as W32/Spybot.worm.gen with the 4288 DATs or greater.

The email message constructed is identical to that for the y variant.

-- Update January 24, 2004 --
The risk assessment of this threat was raised to Low-Profiled due to Media attention at http://antivirus.about.com/cs/allabout/a/dumaruy.htm

This detection is for a new variant of W32/Dumaru@MM. It bears similarities to its predecessors (for example W32/Dumaru.j@MM ).

This worm bears the following characteristics:

  • contains its own SMTP engine to construct messages
  • harvests target email addresses from the local machine

Additionally, the worm is also intended to steal data from the victim machine (eg. certain application passwords, keylogger data). This may be triggered via remote commands from the hacker.

Mail Propagation
 The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine - files matching the following extensions are searched:

  • .HTM
  • .WAB
  • .HTML
  • .DBX
  • .TBB
  • .ABD

The worm mails itself in a ZIP file. The ZIP contains the worm with the following filename:

  • MYPHOTO.JPG. (many spaces) .EXE

Messages are constructed with the following characteristics:

From: "Elene" (F (removed) ENSUICIDE@HOTMAIL.COM)
Subject: Important information for you. Read it immediately !
Attachment: MYPHOTO.ZIP
Body:
Hi!
Here is my photo, that you asked for yesterday.

For example (with offensive and target email removed):

Data Stealing
 The worm is intended to steal data from the victim machine. Keylogging functionality is targetted at capturing keystrokes during specific browser sessions - those related to online banking. The worm specifically targets e-gold.com users. Logged data is written to the file VXDLOAD.LOG.

Clipboard contents are also targetted by the worm. Contents are written to the file RUNDLLX.SYS.

These log contents are emailed to the hacker(s) using email addresses hard-coded in the worm.

  • anyname@btw.egold-hosting.com

Remote Access
 The worm listens on TCP ports 2283 and 10000 to allow a remote attacker to issue instructions to the worm (such as FTP commands).

Symptoms

Symptoms -

Existence of the the following Registry key:

  • HKEY_LOCAL_MACHINE\Software\SARS

Existence of the files and Registry keys described in the "Method of Infection" section

Method of Infection

Method of Infection -

When executed, the worm copies itself multiple times onto the victim machine:

  • %WinDir%\RUNDLLX.SYS
  • %SysDir%\L32X.EXE
  • %SysDir%\VXD32V.EXE

Where %WinDir% is the Windows directory (eg. C:\WINNT) and %SysDir% is the Windows System directory (eg. C:\WINNT\SYSTEM32).

A copy is also dropped in the Windows startup folder, as DLLXW.EXE, for example:

  • c:\Documents and Settings\user2\Start Menu\Programs\Startup\dllxw.exe

The worm creates a ZIP file (containing the worm) with the filename ZIP.TMP in the following directory:

  • %WinDir%\TEMP\ZIP.TMP

The following Registry hook is added to hook system startup (9x and NT):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "load32" = %SysDir%\L32X.EXE

On NT/2k systems the following key is modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon "Shell"

from:

Explorer.exe

to:

explorer.exe %SysDir%\VXD32V.EXE

The WIN.INI and SYSTEM.INI system files are also modified to hook system startup. The following entry is added to WIN.INI:

[windows]
"run" = %WinDir%\RUNDLLX.SYS

The following key is modified in SYSTEM.INI:

[boot]
"shell" = Explorer.exe

is modified to:

"shell" = explorer.exe %SysDir%\VXD32V.EXE

Unlike some previous variants, this variant does not have a parasitic infection component (via NTFS streams).

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger has been updated to detect and remove this threat.  Stinger is not required for McAfee users to clean an infected system as the products contain the same level of repair.

Additional Windows ME/XP removal considerations

McAfee Security Threatscan:
ThreatScan signatures that can detect the W32/Dumaru.y@MM virus are available.

Variants

Variants -

  • W32/Dumaru.z@MM