Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Dumador.DG.3
Date discovered:13/12/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:26.112 Bytes
MD5 checksum:2aeaafa28af93018080f16805b73b3bb
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Symantec: Backdoor.Nibu


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows CE


Side effects:
   • Blocks access to security websites
   • Drops a malicious file
   • Records keystrokes
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\winldra.exe



It deletes the following files:
   • %WINDIR%\send_logs_trigger
   • %WINDIR%\dvpd.log



The following files are created:

%TEMPDIR%\fe43e701.htm
%WINDIR%\dvpd.dll Further investigation pointed out that this file is malware, too.
%WINDIR%\dvpd.log This file contains collected keystrokes.
%WINDIR%\netdx.dat Contains a unique ID of the infected computer.
%WINDIR%\prntc.log

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "load32"="%SYSDIR%\winldra.exe"



The following registry key is added:

– HKCU\Software\SARS
   • "SocksPort"=dword:%random character string%

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains are redirected to other destinations:
   • avp.com
   • ca.com
   • customer.symantec.com
   • dispatch.mcafee.com
   • download.mcafee.com
   • f-secure.com
   • kaspersky.com
   • liveupdate.symantec.com
   • liveupdate.symantecliveupdate.com
   • mast.mcafee.com
   • mcafee.com
   • my-etrust.com
   • nai.com
   • networkassociates.com
   • rads.mcafee.com
   • secure.nai.com
   • securityresponse.symantec.com
   • sophos.com
   • symantec.com
   • trendmicro.com
   • update.symantec.com
   • updates.symantec.com
   • us.mcafee.com
   • us.mcafee.com/root/
   • viruslist.com
   • www.avp.com
   • www.ca.com
   • www.f-secure.com
   • www.kaspersky.com
   • www.mcafee.com
   • www.my-etrust.com
   • www.nai.com
   • www.networkassociates.com
   • www.sophos.com
   • www.symantec.com
   • www.trendmicro.com
   • www.viruslist.com




The modified host file will look like this:


 Backdoor The following ports are opened:

%PROGRAM FILES%\Internet Explorer\iexplore.exe on TCP port 9125 in order to provide backdoor capabilities.
%PROGRAM FILES%\Internet Explorer\iexplore.exe on a random TCP port


Contact server:
One of the following:
   • **********.ru/img/logger.php
   • **********.ru/content/img/socks/bot/cmd.txt

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Created logfiles
    • Information about the network

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • WebMoney
   • Far Manager
   • Total Commander
   • The Bat

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • "Storm"; "e-metal"; "Money"; "money"; "WM Keeper"; "Keeper";
      "Fethard"; "fethard"; "bull"; "Bull"; "mull"; "PayPal"; "Bank";
      "bank"; "cash"; "anz"; "ANZ"; "shop"; "Shop"; "..."; "ebay"; "invest";
      "casino"; "bookmak"; "pay"; "member"; "fund"; "Invest"; "Casino";
      "Bookmak"; "Pay"; "Member"; "Fund"; "bet"; "Bet"; "bill"; "Bill";
      "login"; "Login"

– It captures:
    • Keystrokes
    • Window information
    • Login information

 Injection –  It injects the following file into a process: %WINDIR%\dvpd.dll

    Process name:
   • iexplore.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Oliver Auerbach on Tuesday, August 23, 2005
Description updated by Oliver Auerbach on Tuesday, January 17, 2006

Back . . . .