Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Dumador.FH
Date discovered:03/01/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:32.256 Bytes
MD5 checksum:9dfe1214b9c871893ba6cdf998e686be
VDF version:6.33.00.93

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/Dumaru.gen@MM
   •  Kaspersky: Backdoor.Win32.Dumador.fh
   •  Bitdefender: Backdoor.Dumaru.G


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops files
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\winldra.exe



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %WINDIR%\sendlogs_dat
This is a non malicious text file with the following content:
   • %stolen information%

%WINDIR%\dvpd.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Dumador.EO.2

%WINDIR%\prntc.logc Used to store the clipboard text.
%TEMPDIR%\fe43e701.htm
– :\windows\netdx.dat Contains a unique ID of the infected computer.



It tries to download a file:

– The location is the following:
   • http://abramovich.biz/stat/socks/bot/**********
It is saved on the local hard drive under: %WINDIR%\cmdid.dat

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "load32" = "%SYSDIR%\winldra.exe"



The following registry keys are added:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   AutoComplete]
   • "AutoSuggest" = "yes"
   • "Append Completion" = "yes"

– [HKCU\Software\SARS]
   • "SocksPort" = %opened port%
   • "mailsended"="1"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   • "AllowWindowReuse" = dword:00000000



The following registry key is changed:

– [HKLM\System\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start" = %user defined settings%
   New value:
   • "Start" = dword:00000003

 Hosts The host file is modified as explained:

– Access to the following domains is effectively blocked:
   • www.trendmicro.com; trendmicro.com; rads.mcafee.com;
      customer.symantec.com; liveupdate.symantec.com; us.mcafee.com;
      updates.symantec.com; update.symantec.com; www.nai.com; nai.com;
      secure.nai.com; dispatch.mcafee.com; download.mcafee.com;
      www.my-etrust.com; my-etrust.com; mast.mcafee.com; ca.com; www.ca.com;
      networkassociates.com; www.networkassociates.com; avp.com;
      www.kaspersky.com; www.avp.com; kaspersky.com; www.f-secure.com;
      f-secure.com; viruslist.com; www.viruslist.com;
      liveupdate.symantecliveupdate.com; mcafee.com; www.mcafee.com;
      sophos.com; www.sophos.com; symantec.com;
      securityresponse.symantec.com; us.mcafee.com/root/; www.symantec.com




The modified host file will look like this:


 Backdoor The following ports are opened:

– iexplore.exe on TCP port 9125 in order to provide backdoor capabilities.
– iexplore.exe on TCP port 11111 in order to provide backdoor capabilities.
– iexplore.exe on a random TCP port in order to provide a Socks 4 proxy server.


Contact server:
All of the following:
   • http://abramovich.biz/stat/**********
   • http://abramovich.biz/stat/socks/bot/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Capture screen
    • Created logfiles
    • Current malware status
    • Opened port
    • Platform ID
    • Collected information described in stealing section


Remote control capabilities:
    • Download file
    • Execute file
    • Open remote shell
    • Start keylog
    • Upload file

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • The Bat
   • Far
   • Total Commander
   • Webmoney
   • Microsoft Outlook

– A logging routine is started after a website is visited:
   • %any website that contains a login form%
    • Keystrokes
    • Window information
    • Login information

 Injection –  It injects the following file into a process: dvpd.dll

    Process name:
   • iexplore.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Daniel Constantin on Thursday, January 5, 2006
Description updated by Andrei Gherman on Monday, January 30, 2006

Back . . . .