Alias:W32.Dumaru.AH@mm, W32/Mimail.u@MM
Type:Worm 
Size:40,960 bytes, 28,020 bytes 
Origin:unknown 
Date:02-11-2004 
Damage:Sends itself by email, backdoor functions, keylogger functions 
VDF Version:6.23.00.65 
Danger:Low 
Distribution:Medium 

General DescriptionWorm/Dumaru.AV is a polymorphic massmailer, which has also a backdoor and a key logging component. It uses its own smtp engine to send the emails and arrives as a 28,020 bytes large file.

Symptoms* When executed, Internet Explorer will be launched with a picture displayed.

Distribution* Sends emails using its own smtp engine

Technical DetailsIf Worm/Dumaru.AV is executed, it will create the file NLOAD.EXE in the root of disk drive C: and execute it. The file NLOAD.EXE has a size of 28.020 bytes and is packed with FSG.

It will create the file C:\%WinDIR%\Temp\photo.jpg which will be displayed in Internet Explorer.

It copies itself as:

* \%WinDIR%\%SystemDIR%\1111a.exe
* \%WinDIR%\%SystemDIR%\1111c.exe

May copy itself to the startup folder as:

* 1111b.exe

The following registry entries will be created by the worm:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"load32"="\%WinDIR%\%SystemDIR%\1111a.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe C:\\%WinDir%\\%SystemDIR%\\1111c.exe"

Original entry:
"Shell"="explorer.exe"

The SYSTEM.INI is modified with the following entry:

* Original entry:
shell=explorer.exe

* Modified entry:
shell=explorer.exe %SystemDIR%\1111c.exe

Worm/Dumaru.AV will download the file 1.EXE from the internet and execute it. It will create the following files:

* \%WinDIR%\%SystemDIR%\Objmocgo.exe
* \%WinDIR%\%SystemDIR%\Dlkjomjg.dll

and the folowing entries in the registry:

* [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NotifyDownloadComplete"="yes"
"FormSuggest Passwords"="yes"
"FormSuggest PW Ask"="yes"

Worm/Dumaru.AV collects email addresses from files with the following extension and store them in the file 1111MAIL.LOG in the Windows instalation folder:

* htm
* wab
* html
* dbx
* tbb
* abd

The worm creates the file %WinDIR%\Temp\Zip.tmp and sends it with its own smtp engine to all email addresses found.

Emails generated by Worm/Dumaru.AC have the following name for the attached file:

* myphoto.jpg<%56 spaces%>.exe.

The backdoor component of the worms listen on the TCP port 10000 and 2283 for instructions. The attacker can connect to the infected computer using this two ports and have perfect control of the infected computer.

Information about passwords and clipboard content are logged in the files 1111B.LOG and 1111C.LOG.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%WinDIR%\%SystemDIR%\1111a.exe
* \%WinDIR%\%SystemDIR%\1111c.exe
* \%AutostartDIR%\1111b.exe
* \%WinDIR%\%SystemDIR%\Objmocgo.exe
* \%WinDIR%\%SystemDIR%\Dlkjomjg.dll
* \nload.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NotifyDownloadComplete"="yes"
"FormSuggest Passwords"="yes"
"FormSuggest PW Ask"="yes"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"load32"="\%WinDIR%\%SystemDIR%\1111a.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe C:\\WINDOWS\\System32\\1111c.exe"

must be changed in:

"Shell"="explorer.exe"

The following entry in the file SYSTEM.INI from the Windows instalation folder must be changed:

* shell=explorer.exe %SystemDIR%\1111c.exe

in

* shell=explorer.exe

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%WinDIR%\%SystemDIR%\1111a.exe
* \%WinDIR%\%SystemDIR%\1111c.exe
* \%AutostartDIR%\1111b.exe
* \%WinDIR%\%SystemDIR%\Objmocgo.exe
* \%WinDIR%\%SystemDIR%\Dlkjomjg.dll
* \nload.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NotifyDownloadComplete"="yes"
"FormSuggest Passwords"="yes"
"FormSuggest PW Ask"="yes"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"load32"="\%WinDIR%\%SystemDIR%\1111a.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe C:\\WINDOWS\\System32\\1111c.exe"

must be changed in:

"Shell"="explorer.exe"

The following entry in the file SYSTEM.INI from the Windows instalation folder must be changed:

* shell=explorer.exe %SystemDIR%\1111c.exe

in

* shell=explorer.exe

Restart your computer.
Descripción insertada por Crony Walker el martes, 15 de junio de 2004

Volver . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. Todos los derechos reservados.

Mi Cuenta

https:// Esta ventana está cifrada para su seguridad.