Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Method of propagation:
• No own spreading routine
• Mcafee: W32/Dumaru.gen@MM
• Kaspersky: Backdoor.Win32.Dumador.fh
• Bitdefender: Backdoor.Dumaru.G
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Downloads a file
• Drops files
• Drops a malicious file
• Lowers security settings
• Registry modification
• Steals information
• Third party control
It copies itself to the following location:
The following files are created:
– A file that is for temporary use and it might be deleted afterwards:
This is a non malicious text file with the following content:
\dvpd.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Dumador.EO.2
\prntc.logc Used to store the clipboard text.
:\windows\netdx.dat Contains a unique ID of the infected computer.
It tries to download a file:
The location is the following:
It is saved on the local hard drive under:
The following registry key is added in order to run the process after reboot:
• "load32" = "
The following registry keys are added:
• "AutoSuggest" = "yes"
• "Append Completion" = "yes"
• "SocksPort" =
• "AllowWindowReuse" = dword:00000000
The following registry key is changed:
• "Start" =
%user defined settings%
• "Start" = dword:00000003
The host file is modified as explained:
Access to the following domains is effectively blocked:
• www.trendmicro.com; trendmicro.com; rads.mcafee.com;
customer.symantec.com; liveupdate.symantec.com; us.mcafee.com;
updates.symantec.com; update.symantec.com; www.nai.com; nai.com;
secure.nai.com; dispatch.mcafee.com; download.mcafee.com;
www.my-etrust.com; my-etrust.com; mast.mcafee.com; ca.com; www.ca.com;
networkassociates.com; www.networkassociates.com; avp.com;
www.kaspersky.com; www.avp.com; kaspersky.com; www.f-secure.com;
f-secure.com; viruslist.com; www.viruslist.com;
liveupdate.symantecliveupdate.com; mcafee.com; www.mcafee.com;
sophos.com; www.sophos.com; symantec.com;
securityresponse.symantec.com; us.mcafee.com/root/; www.symantec.com
The modified host file will look like this:
The following ports are opened:
iexplore.exe on TCP port 9125 in order to provide backdoor capabilities.
iexplore.exe on TCP port 11111 in order to provide backdoor capabilities.
iexplore.exe on a random TCP port in order to provide a Socks 4 proxy server.
All of the following:
As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.
Sends information about:
Current malware status
Collected information described in stealing section
Remote control capabilities:
Open remote shell
It tries to steal the following information:
Recorded passwords used by the AutoComplete function
Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts
Passwords from the following programs:
• The Bat
• Total Commander
• Microsoft Outlook
A logging routine is started after a website is visited:
%any website that contains a login form%
– It injects the following file into a process: dvpd.dll
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
Description inserted by Daniel Constantin on Thursday, January 5, 2006
Description updated by Andrei Gherman on Monday, January 30, 2006