Classification

Category :

Malware

Type :

Worm

Aliases :

Dumaru.B, W32.Dumaru.B@mm

Summary

Dumaru.B is a file infector and a mass-mailer worm which tries to disguise itself as a security patch coming from Microsoft. The worm drops an IRC-controlled backdoor component to the infected system.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Dumaru.B is packed with an unmodified version of UPX. The unpacked size of the worm is 61440 bytes.

When first run the worm infects the system by placing several of its copies in the system.

One copy goes to the System Directory as 'load32.exe' which is added to the registry as

  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32'

The next one is copied to the current user's startup folder as 'rundllw.exe'.

Another copy of the worm is placed to the Windows Directory using the file name 'dllreg.exe' and added to 'win.ini' as follows:

[windows]
Run=dllreg.exe
 

Fourth one is copied to System Directory as 'vxdmgr32.exe' which is registered to 'system.ini':

[Boot]
Shell=explorer vxdmgr32.exe
 

The backdoor is dropped to the Windows directory as 'windrv.exe' and started. This file is detected by F-Secure Anti-Virus as Backdoor.Small.d.

A keylogger is dropped to the Windows Directory as 'guid32.dll'.

Email propagation

Dumaru.B uses its own SMTP engine to send emails with infected attachments. The worm searches for email addresses on all drives recursively in files with the following extensions:

.htm
.wab
.html
.dbx
.tbb
.abd
 

Using its SMTP engine Dumaru.B sends infected emails to the addresses it collected. The infected emails have the following appearance:

From: "Microsoft" [security@microsoft.com]
Subject: Use this patch immediately !
 Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
 Attachment: patch.exe
 

The email addresses the worm collects are written to a file called 'winload.log' in the Windows Directory.

File infection

If the infected system is installed on NT Filesystem Dumaru.B tries to infect EXE files with a companion method using the streams feature of NTFS. The original file content is copied to 'filename.exe:STR' stream and the file 'filename.exe' is overwritten with a copy of the virus. When 'filename.exe' is invoked the worm executes 'filename.exe:STR' instead.

Backdoors

Dumaru.B opens several ports with different different services.

On port 10000 it opens an FTP server that provides full access to all files on all the physical and mapped drives of the infected computer.

On port 1001 a custom backdoor component is listening that accepts text commands with different functionality:

  • executing arbitrary commands
  • take a screenshot
  • open/close CD tray
  • play sound
  • display a message box:

On port 2283 Dumaru.B implements a generic TCP Proxy/bouncer an attacker can use to connect to other hosts through the infected computer.

Stealing data

Apart from spreading and backdoor functionality Dumaru.B collects considerable amount of sensitive data and sends it to a predefined address in email.

  • Far Manager passwords
  • ID list for the site WebMoney.ru
  • Passwords and wallet information for WebMoney.ru which is collected from *.kwm files
  • Keystrokes collected by the keylogger and stored in a file called 'vxdload.log'
  • Content of the clipboard which is captured and stored in 'rundllx.sys' in Windows Directory
  • Protected Storage Data which stores passwords for Internet Explorer, Outlook Express and similar programs.

To gather this data the worm drops a simple tool to the Windows Directory as 'winimg.exe' and uses it to dump the password list to 'rundllz.sys'.

Terminating security software

Dumaru enumerates the running processes and terminates the ones which have the following names:

ZAUINST.EXE
ZAPRO.EXE
ZONEALARM.EXE
ZATUTOR.EXE
MINILOG.EXE
VSMON.EXE
LOCKDOWN.EXE
ANTS.EXE
FAST.EXE
GUARD.EXE
TC.EXE
SPYXX.EXE
PVIEW95.EXE
REGEDIT.EXE
DRWATSON.EXE
SYSEDIT.EXE
NSCHED32.EXE
MOOLIVE.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
SS3EDIT.EXE
UPDATE.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
WGFE95.EXE
POPROXY.EXE
NPROTECT.EXE
VSSTAT.EXE
VSHWIN32.EXE
NDD32.EXE
MCAGENT.EXE
MCUPDATE.EXE
WATCHDOG.EXE
TAUMON.EXE
IAMAPP.EXE
IAMSERV.EXE
LOCKDOWN2000.EXE
SPHINX.EXE
WEBSCANX.EXE
VSECOMR.EXE
PCCIOMON.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
FRW.EXE
BLACKICE.EXE
BLACKD.EXE
WRCTRL.EXE
WRADMIN.EXE
WRCTRL.EXE
PCFWALLICON.EXE
APLICA32.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
CFINET.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
NVARCH16.EXE
MSSMMC32.EXE
PERSFW.EXE
VSMAIN.EXE
LUALL.EXE
LUCOMSERVER.EXE
AVSYNMGR.EXE
DEFWATCH.EXE
RTVSCN95.EXE
VPC42.EXE
VPTRAY.EXE
PAVPROXY.EXE
APVXDWIN.EXE
AGENTSVR.EXE
NETSTAT.EXE
MGUI.EXE
MSCONFIG.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE