Virus:TR/Tcom.2
Date discovered:20/07/2005
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:26.624 Bytes
MD5 checksum:8e3cf147f6d642b4e0808cec743d856e
VDF version:6.31.0.234

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Nibu.L
   •  Mcafee: BackDoor-CCT
   •  Kaspersky: Trojan-Spy.Win32.Agent.fe
   •  TrendMicro: TROJ_DUMADOR.AV
   •  VirusBuster: Backdoor.Dumador.BM


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\windldra.exe



It deletes the following file:
   • %WINDIR%\send_logs_trigger



The following files are created:

%WINDIR%\netdx.dat This file serves as flag for an internal routine.
%WINDIR%\dvpd.dll
%WINDIR%\prntsvra.dll
%TEMPDIR%\fe43e701.htm This file contains collected keystrokes.
%WINDIR%\prntc.log
%WINDIR%\prntk.log

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\software\microsoft\windows\currentversion\run\]
   • "load32"="%SYSDIR%\winldra.exe"



The following registry keys are added:

– [HKCU\software\sars\]
   • "SocksPort"=dword:%random character string%

– [HKCU\software\microsoft\internet explorer\main\]
   • "AllowWindowReuse"=dword:00000000

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • www.trendmicro.com; trendmicro.com; rads.mcafee.com;
      customer.symantec.com; liveupdate.symantec.com; us.mcafee.com;
      updates.symantec.com; update.symantec.com; www.nai.com; nai.com;
      secure.nai.com; dispatch.mcafee.com; download.mcafee.com;
      www.my-etrust.com; my-etrust.com; mast.mcafee.com; ca.com; www.ca.com;
      networkassociates.com; www.networkassociates.com; avp.com;
      www.kaspersky.com; www.avp.com; kaspersky.com; www.f-secure.com;
      f-secure.com; viruslist.com; www.viruslist.com;
      liveupdate.symantecliveupdate.com; mcafee.com; www.mcafee.com;
      sophos.com; www.sophos.com; symantec.com;
      securityresponse.symantec.com; us.mcafee.com/root/; www.symantec.com




The modified host file will look like this:


 Backdoor The following ports are opened:

%executed file% on a random TCP port in order to provide a proxy server.
%executed file% on TCP port 9125 in order to provide backdoor capabilities.


Contact server:
The following:
   • http://222.36.41.**********/system32/logger.php

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Created logfiles
    • Information about the network
    • Platform ID

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • WebMoney
   • Far Manager
   • Total Commander
   • Outlook
   • Outlook Express

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • "gold"; "Storm"; "e-metal"; "Money"; "money"; "WM Keeper"; "Keeper";
      "Fethard"; "fethard"; "bull"; "Bull"; "mull"; "PayPal"; "Bank";
      "bank"; "cash"; "anz"; "ANZ"; "shop"; "Shop"; "..."; "ebay"; "invest";
      "casino"; "bookmak"; "pay"; "member"; "fund"; "Invest"; "Casino";
      "Bookmak"; "Pay"; "Member"; "Fund"; "bet"; "Bet"; "bill"; "Bill";
      "login"; "Login"

– It captures:
    • Keystrokes
    • Window information
    • Browser window
    • Login information

 Injection – It injects itself into a process.

    Process name:
   • Internet Explorer


Description inserted by Sergiu Oprea on Wednesday, August 3, 2005
Description updated by Oliver Auerbach on Tuesday, October 18, 2005

Back . . . .