My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Dumaru.B/C@mm

LOW
MEDIUM
34,308 bytes (B@mm), 34,305 (C@mm)
(W32.Dumaru.B/C | W32/Dumaru.b/c@MM | W32/Dumaru-B)

Symptoms

Presence of the next files in %WINDOWS% folder:

dllreg.exe
guid32.dll
windrive.exe
winimg.exe

Presence of the next files in %SYSTEM% folder:

load32.exe
vxdmgr32.exe

Presence of the next files in Startup folder:

rundllw.exe

Presence of the next registry keys or entries:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
"load32"="%SYSTEM%\load32.exe"


[HKLM\Software\SARS\"kwmfound"=0]

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to System folder on Windows 9x systems and System32 folder on WinNT systems.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Automatic removal

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antidumaru-EN.exe tool does the following:
  • it detects all the known Win32.Dumaru versions;

  • it kills the process from memory;

  • it deletes the files infected with or created by Win32.Dumaru;

  • it repairs the Windows registry and the .ini files.


  • You may also need to restore the affected files.

    Semiautomatic removal

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following key:
        [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
        "load32"="%SYSTEM%\load32.exe"


        [HKLM\Software\SARS\"kwmfound"=0]

    4. Reboot the computer;

    5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Dumaru.

    Analyzed By

    Patrik Vicol BitDefender Virus Researcher

    Technical Description:

    This mass mailer has backdoor abilities (listens on TCP ports 1001, 2283, 10000) and also comes with a keylogger.
    Attempts to terminate processes belonging to several security and antivirus programs.
    On NTFS partitions, it may overwrite .exe files with copies of the virus.

    It spreads using this format:

    From:
    security@microsoft.com

    Subject:
    Use this patch immediately !

    Body:
    Dear friend , use this Internet Explorer patch now!
    There are dangerous virus in the Internet now!
    More than 500.000 already infected!


    Attachment:
    patch.exe


    Once run, the virus does the following:

    1. Creates the aforementioned files and registry keys/entries.

    2. Attempts to terminate processes:

    ZAUINST.EXE
    ZAPRO.EXE
    ZONEALARM.EXE
    ZATUTOR.EXE
    MINILOG.EXE
    VSMON.EXE
    LOCKDOWN.EXE
    ANTS.EXE
    FAST.EXE
    GUARD.EXE
    TC.EXE
    SPYXX.EXE
    PVIEW95.EXE
    REGEDIT.EXE
    DRWATSON.EXE
    SYSEDIT.EXE
    NSCHED32.EXE
    MOOLIVE.EXE
    TCA.EXE
    TCM.EXE
    TDS-3.EXE
    SS3EDIT.EXE
    UPDATE.EXE
    ATCON.EXE
    ATUPDATER.EXE
    ATWATCH.EXE W
    GFE95.EXE
    POPROXY.EXE
    NPROTECT.EXE
    VSSTAT.EXE
    VSHWIN32.EXE
    NDD32.EXE
    MCAGENT.EXE
    MCUPDATE.EXE
    WATCHDOG.EXE
    TAUMON.EXE
    IAMAPP.EXE
    IAMSERV.EXE
    LOCKDOWN2000.EXE
    SPHINX.EXE
    WEBSCANX.EXE
    VSECOMR.EXE
    PCCIOMON.EXE
    ICLOAD95.EXE
    ICMON.EXE
    ICSUPP95.EXE
    ICLOADNT.EXE
    ICSUPPNT.EXE
    FRW.EXE
    BLACKICE.EXE
    BLACKD.EXE
    WRCTRL.EXE
    WRADMIN.EXE
    WRCTRL.EXE
    PCFWALLICON.EXE
    APLICA32.EXE
    CFIADMIN.EXE
    CFIAUDIT.EXE
    CFINET32.EXE
    CFINET.EXE
    TDS2-98.EXE
    TDS2-NT.EXE
    SAFEWEB.EXE
    NVARCH16.EXE
    MSSMMC32.EXE
    PERSFW.EXE
    VSMAIN.EXE
    LUALL.EXE
    LUCOMSERVER.EXE
    AVSYNMGR.EXE
    DEFWATCH.EXE
    RTVSCN95.EXE
    VPC42.EXE
    VPTRAY.EXE
    PAVPROXY.EXE
    APVXDWIN.EXE
    AGENTSVR.EXE
    NETSTAT.EXE
    MGUI.EXE
    MSCONFIG.EXE
    NMAIN.EXE
    NISUM.EXE
    NISSERV.EXE


    3. On Windows 9x/Me systems, alters win.ini and system.ini in order to run at startup.

    [windows]
    run=%WINDOWS%\dllreg.exe

    [boot]
    shell=explorer.exe %SYSTEM%\vxdmgr32.exe



    4. Harvests e-mail addresses by searching inside:

    .htm
    .wab
    .html
    .dbx
    .tbb
    .abd

    and attempts to send itself using the e-mail format described above, using it's own SMTP engine and the default SMTP address.

    5. Attempts to infect .exe files on NTFS partitions, but due to a bug in the search, it will only infect .exe file on the root of drives.

    6. Connects to an IRC server, and joins a channel, listens on ports 1001, 10000 (TCP) for commands from an attacker. Also, port 2283 (TCP) is used as a send through (like a proxy).

    7. Captures and logs the clippboard to %WINDOWS%\rundllx.sys

    8. Captures and logs keystrokes (but also program name) to %WINDOWS%\vxdload.log

    9. Attempts to connect to a ftp server and upload a .eml file that contains passwords and other informations.