Virus Profile: W32/Dumaru.c@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/25/2003
Date Added: 8/27/2003
Origin: Unknown
Length: 34,308 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4289
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The worm drops the following files:

  • c:\%WINDIR%\dllreg.exe  (virus body)
  • c:\%WINDIR%\guid32.dll (inserts dll into process - buggy)
  • c:\%WINDIR%\rundllx.sys (log file)
  • c:\%WINDIR%\vxdload.log (event log file)
  • c:\%WINDIR%\windrive.exe (PWS-Narod)
  • c:\%WINDIR%\winload.log (contains emails to send itself to)
  • c:\%STARTUP%\rundllw.exe (virus body to run at startup)
  • c:\%SYSDIR%\load32.exe (virus body)
  • c:\%SYSDIR%\vxdmgr32.exe (virus body)

%WINDIR% is C:\windows or C:\winnt,
%SYSDIR% is C:\windows\system or C:\winnt\system
%STARTUP% is c:\Documents and Settings\w2kpro\Start Menu\Programs\Startup\ or c:\WINDOWS\Start Menu\Programs\StartUp\)

The following registry key was added: - HKEY_LOCAL_MACHINE\Software\SARS

On Win98 machines

The worm hooks the following key to run itself at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "load32" = C:\WINDOWS\SYSTEM\load32.exe

The following keys were added to SYSTEM.INI and WIN.INI respectively to run the virus at startup:

  • [boot] "shell" = explorer.exe C:\WINDOWS\SYSTEM\vxdmgr32.exe
  • [windows] "run" = C:\WINDOWS\dllreg.exe

On NT, 2k, XP machines

The worm hooks the following keys to run itself at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "run" = C:\WINNT\dllreg.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load32" =  Data: (data too large: 260 bytes)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = explorer.exe C:\WINNT\System32\vxdmgr32.exe

Methods of Infection

This worm sends itself to email addresses harvested from files found on the local system that use the following extensions:
  • .htm
  • .wab
  • .html
  • .dbx
  • .tbb
  • .abd

These addresses are stored in a file named winload.log in the %WinDir%. The worm sends itself to these recipients as described above, via its own SMTP engine.

It seems that the worm was intended to parasitically infect exe files by dll injection, however this wasn't observe all the time.

   

Virus Characteristics

-- Update August 28, 2003 --

A new variant of the W32/Dumaru@MM virus has been discovered on 25th August 2003.

This variant is detected heuristically as virus or variant of New BackDoor1 using DATs 4230 (available since 10/23/2002) and later with engine 4.1.60. McAfee customers who updated to this version of DATs, or above, are therefore protected from this new variant.

Mass Mailing Component

The email sent by this variant is similar to W32/Dumaru.a@MM. It contains its own SMTP engine for constructing outgoing messages.

From: "Microsoft" security@microsoft.com
Subject: Use this patch immediately !
Attachment: patch.exe

The worm trawls the harddisk for files with extensions .htm .wab .html .dbx .tbb .abd for email addresses to send itself to. These email addresses are written to file winload.log .

Keylogger Backdoor Component

The worm contains a keylogger component, which logs user events and key inputs. The events are logged to files vxdload.log, rundllx.sys, or rundlln.sys. From strings within the virus body, it seems that passwords saved in Far Manager, and data from the clipboard are logged as well.

Payload

Like previous variants, the password stealer PWS-Narod  is dropped by this worm.

The worm attempts to stop the following security services processes.

ZAUINST.EXE
ZAPRO.EXE
ZONEALARM.EXE
ZATUTOR.EXE
MINILOG.EXE
VSMON.EXE
LOCKDOWN.EXE
ANTS.EXE
FAST.EXE
GUARD.EXE
TC.EXE
SPYXX.EXE
PVIEW95.EXE
REGEDIT.EXE
DRWATSON.EXE
SYSEDIT.EXE
NSCHED32.EXE
MOOLIVE.EXE
TCA.EXE
TCM.EXE
T DS-3.EXE
SS3EDIT.EXE
UPDATE.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
WGFE95.EXE
POPROXY.EXE
NPROTECT.EXE
VSSTAT.EXE
VSHWIN32.EXE
NDD32.EXE
MCAGENT.EXE
MCUPDATE .EXE
WATCHDOG.EXE
TAUMON.EXE
IAMAPP.EXE
IAMSERV.EXE
LOCKDOWN2000.EXE
SPHINX.EXE
WEBSCANX.EXE
VSECOMR.EXE
PCCIOMON.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLO ADNT.EXE
ICSUPPNT.EXE
FRW.EXE
BLACKICE.EXE
BLACKD.EXE
WRCTRL.EXE
WRADMIN.EXE
WR CTRL.EXE
PCFWALLICON.EXE
APLICA32.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
CF INET.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
NVARCH16.EXE
MSSMMC32.EXE
PERSFW.E XE VSMAIN.EXE
LUALL.EXE
LUCOMSERVER.EXE
AVSYNMGR.EXE
DEFWATCH.EXE
RTVSCN95.EXE
VPC42.EXE
VPTRAY.EXE
PAVPROXY.EXE
APVXDWIN.EXE
AGENTSVR.EXE
NETSTAT.EXE
MGUI.EX E MSCONFIG.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE

It was observed that the virus also connects to a restricted russian site by ftp, probably to download updates of itself. This site cannot be accessed during this moment of writing.

   

All Users
Detection was included in the 4287 DAT files . Repair requires the 4290 DAT files and the 4.2.60 scan engine.

Stand-alone Remover
 Stinger has been updated to detect and remove this threat.

Manual Removal Instructions

To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the processes:
      1. LOAD32.EXE
      2. VXDMGR32.EXE
      3. DLLREG.EXE
  2. Delete the following files:
    • %WinDir%\DLLREG.EXE 
    • %SysDir%\LOAD32.EXE
    • %SysDir%\VXDMGR32.EXE
  3. Edit the registry
    • Delete the "Load32" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
    • Edit the "Run" value in the following key from "C:\WINDOWS\DLLREG.EXE" to "":
      • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    • Edit the "Shell" value in the following key from "explorer.exe %sysdir%\vxdmgr32.exe" to "explorer.exe":
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

 Additional Windows ME/XP removal considerations