Content

W32/Dumaru.ad@MM

Type
Virus
SubType
E-mail
Discovery Date
02/10/2004
Length
40,960 bytes (polymorphic dropper)
28,020 bytes (dropped NLOAD.EXE)
Minimum DAT
4323 (02/11/2004)
Updated DAT
4606 (10/17/2005)
Minimum Engine
5.1.00
Description Added
02/10/2004
Description Modified
02/25/2004 7:24 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a new variant of W32/Dumaru@MM . There are similarities between this and a previous variant .

This worm bears the following characteristics:

  • it is polymorphic (but of fixed file size: 40,960 bytes)
  • it drops a second binary, which contains the worms functionality
  • it mails itself in a ZIP file (DOCUMENT.ZIP)
  • messages are constructed using the worm's SMTP engine, and sent to email addresses harvested from the victim machine
  • the worm also contains a data stealing component, mailing specific data to the hacker (keylog, clipboard, MAPI passwords, IP, system information etc)
  • a backdoor component (already detected as BackDoor-AXJ ) is downloaded from a remote server.

The worm's functionality is contained in a file that is dropped (C:\NLOAD.EXE - 28,020 bytes) when the polymorphic component is executed on the victim machine.

Mail Propagation
The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine - files matching the following extensions are searched:

  • .HTM
  • .WAB
  • .HTML
  • .DBX
  • .TBB
  • .ABD

Harvested addresses are written to the following file:

  • %WinDir%\1111MAIL.LOG

The worm mails itself in a ZIP file (DOCUMENT.ZIP, approx 41kB). The ZIP contains the worm with the following filename:

  • MYPHOTO.JPG. (many spaces) .EXE

The From: header of outgoing messages is spoofed (combining random strings together with domains of email addresses harvested from the victim machine).

The message body contains random ascii strings.

Testing thus far has shown the mailing routine to be somewhat buggy.

Remote Access Component
 The worm contains a remote access component, similar to that observed for previous variants. The worm listens on TCP ports 2283 and 10000 to allow a remote attacker to issue instructions to the worm (such as FTP commands).

Additionally, the worm attempts to download a binary from a remote server:

  • http://udm-base.us/(blocked)/1.exe

At the time of writing, this binary is a remote access trojan. This is detected as BackDoor-AXJ by McAfee products running the 4295 DATs or greater.

Data Stealing
The worm is intended to steal data from the victim machine. Keylogging functionality is targetted at capturing keystrokes during specific browser sessions - those related to online banking. Clipboard contents are also harvested by the worm.

An email containing harvested data is sent to the hacker. An example email is shown below (exact contents wil vary according to data harvested from machine):

From: user (address@yandex.ru)
Body:

IP address: (IP address)

*** System information ***
Windows version: (Windows version)
Internet Explorer version: (IE version)
*** System information ends ***

===CLIPBOARD LOG===
(clipboard contents)
===CLIPBOARD LOG END===

*** Protected Storage Data ***

********************
MAIL: v180A31520
(mail username/password pairs)

*** Protected Storage Data ends ***

Symptoms

  • Existence of the files and Registry keys described in the "Method of Infection" section
  • TCP ports 10000 and 2283 open on infected machine
  • Outgoing DNS query and HTTP GET request for/to the following domain:
    govno.ws

Method of Infection

When executed, the following image is extracted (to %Temp%\photo.jpg) and displayed:

Subsequently, the worm drops the following binary to the victim machine:

  • C:\NLOAD.EXE

When executed, this copies itself to the Windows startup folder, as 111B.EXE, for example:

  • C:\WINDOWS\START MENU\PROGRAMS\STARTUP\1111B.EXE

Two further copies are dropped into the System directory:

  • %SysDir%\1111A.EXE
  • %SysDir%\1111C.EXE

The worm creates a ZIP file (containing the worm) with the filename ZIP.TMP in the following directory:

  • %WinDir%\TEMP\ZIP.TMP

The following Registry hook is added to hook system startup (9x and NT):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "load32" = %SysDir%\1111A.EXE

The following key is modified in SYSTEM.INI:

[boot]
"shell" = Explorer.exe

is modified to:

"shell" = explorer.exe %SysDir%\1111C.EXE

A notification is sent to the hacker via HTTP. A GET request is sent to a script on the following server, passing the victim IP address:

  • GOVNO.WS

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Dumaru.AH@mm (NAV)
  • Win32.Dumaru.O (CA)
  • WORM_DUMARU.AC (Trend)

Characteristics

Characteristics -

This detection is for a new variant of W32/Dumaru@MM . There are similarities between this and a previous variant .

This worm bears the following characteristics:

  • it is polymorphic (but of fixed file size: 40,960 bytes)
  • it drops a second binary, which contains the worms functionality
  • it mails itself in a ZIP file (DOCUMENT.ZIP)
  • messages are constructed using the worm's SMTP engine, and sent to email addresses harvested from the victim machine
  • the worm also contains a data stealing component, mailing specific data to the hacker (keylog, clipboard, MAPI passwords, IP, system information etc)
  • a backdoor component (already detected as BackDoor-AXJ ) is downloaded from a remote server.

The worm's functionality is contained in a file that is dropped (C:\NLOAD.EXE - 28,020 bytes) when the polymorphic component is executed on the victim machine.

Mail Propagation
The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine - files matching the following extensions are searched:

  • .HTM
  • .WAB
  • .HTML
  • .DBX
  • .TBB
  • .ABD

Harvested addresses are written to the following file:

  • %WinDir%\1111MAIL.LOG

The worm mails itself in a ZIP file (DOCUMENT.ZIP, approx 41kB). The ZIP contains the worm with the following filename:

  • MYPHOTO.JPG. (many spaces) .EXE

The From: header of outgoing messages is spoofed (combining random strings together with domains of email addresses harvested from the victim machine).

The message body contains random ascii strings.

Testing thus far has shown the mailing routine to be somewhat buggy.

Remote Access Component
 The worm contains a remote access component, similar to that observed for previous variants. The worm listens on TCP ports 2283 and 10000 to allow a remote attacker to issue instructions to the worm (such as FTP commands).

Additionally, the worm attempts to download a binary from a remote server:

  • http://udm-base.us/(blocked)/1.exe

At the time of writing, this binary is a remote access trojan. This is detected as BackDoor-AXJ by McAfee products running the 4295 DATs or greater.

Data Stealing
The worm is intended to steal data from the victim machine. Keylogging functionality is targetted at capturing keystrokes during specific browser sessions - those related to online banking. Clipboard contents are also harvested by the worm.

An email containing harvested data is sent to the hacker. An example email is shown below (exact contents wil vary according to data harvested from machine):

From: user (address@yandex.ru)
Body:

IP address: (IP address)

*** System information ***
Windows version: (Windows version)
Internet Explorer version: (IE version)
*** System information ends ***

===CLIPBOARD LOG===
(clipboard contents)
===CLIPBOARD LOG END===

*** Protected Storage Data ***

********************
MAIL: v180A31520
(mail username/password pairs)

*** Protected Storage Data ends ***

Symptoms

Symptoms -

  • Existence of the files and Registry keys described in the "Method of Infection" section
  • TCP ports 10000 and 2283 open on infected machine
  • Outgoing DNS query and HTTP GET request for/to the following domain:
    govno.ws

Method of Infection

Method of Infection -

When executed, the following image is extracted (to %Temp%\photo.jpg) and displayed:

Subsequently, the worm drops the following binary to the victim machine:

  • C:\NLOAD.EXE

When executed, this copies itself to the Windows startup folder, as 111B.EXE, for example:

  • C:\WINDOWS\START MENU\PROGRAMS\STARTUP\1111B.EXE

Two further copies are dropped into the System directory:

  • %SysDir%\1111A.EXE
  • %SysDir%\1111C.EXE

The worm creates a ZIP file (containing the worm) with the filename ZIP.TMP in the following directory:

  • %WinDir%\TEMP\ZIP.TMP

The following Registry hook is added to hook system startup (9x and NT):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "load32" = %SysDir%\1111A.EXE

The following key is modified in SYSTEM.INI:

[boot]
"shell" = Explorer.exe

is modified to:

"shell" = explorer.exe %SysDir%\1111C.EXE

A notification is sent to the hacker via HTTP. A GET request is sent to a script on the following server, passing the victim IP address:

  • GOVNO.WS

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A