My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Dumaru.A@mm

MEDIUM
MEDIUM
9,234 bytes
(W32.Dumaru@mm (Symantec))

Symptoms

  • Presence of the files

    %WINDOWS%\dllreg.exe
    %SYSTEM%\load32.exe
    %SYSTEM%\vxdmgr32.exe
    %WINDOWS%\windrv.exe


  • where %WINDOWS% points to Windows folder (Win9x/Me) or Winnt folder (Win2K/XP).

  • Presence of the value

    "load32"="%SYSTEM%\load32.exe"

    in the registry key

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

    where %SYSTEM% points to System folder (Win9x/Me) or System32 folder (Win2K/XP).
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender Antidumaru-EN.exe tool does the following:
  • it detects all the known Win32.Dumaru@mm versions;

  • it kills the process from memory;

  • it deletes the files infected with Win32.Dumaru@mm;

  • it deletes the backdoor component;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    Analyzed By

    Patrik Vicol BitDefender Virus Researcher

    Technical Description:

    The virus arrives as a fake email from Microsoft:

    From: "Microsoft" security@microsoft.com

    Subject: Use this patch immediately !

    Body:

    Dear friend , use this Internet Explorer patch now!
    There are dangerous virus in the Internet now!
    More than 500.000 already infected!


    Attachment: patch.exe

    When executed, the virus will do the following:

    1. Copy itself as:
      %SYSTEM%\load32.exe
      %WINDOWS%\dllreg.exe
      %SYSTEM%\vxdmgr32.exe


    2. Drops and executes a backdoor component

      %WINDOWS%\windrv.exe (8192 bytes)

      which connects to a IRC server and joins a password protected channel, sends a login notice and waits for the author to issue commands.


    3. Creates the value

      "load32"="%SYSTEM%\load32.exe"

      in the registry key

      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]


    4. On Windows 9x/Me systems, it does the following:
      • uses RegisterServiceProcess to hide its presence;


      • modifies system.ini by adding the entry in the [Boot] section:

        shell=explorer.exe %System%\vxdmgr32.exe

      • modifies win.ini by adding the following entry in the [Windows] section:

        run=C:\WINDOWS\dllreg.exe

    5. Harvests e-mail addresses from files matching

      *.htm
      *.wab
      *.html
      *.dbx
      *.tbb
      *.abd

      and stores them in %WINDOWS%\winload.log file.


    6. It uses it's own SMTP engine and sends itself to the e-mails harvested in winload.log file (see above for the infected e-mail format).


    7. It searches for *.exe files belonging to several antivirus/security products and attempts to overwrite them with copies of the virus.