Contacto
Sobre Avira
Prensa
Beta test
Language:
Español
English
Deutsch
Français
Español
Italiano
Português
Русский
Particulares
Avira Antivirus Premium
Avira Internet Security
Empresas
Cliente/Servidor
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
PYMES
Servicios gestionados
Puerta de enlace
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integración
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Crear marca y combinar
Servicios de integración
Descuento Educativo
Soporte
Particulares
Información general
Últimas noticias
Tutoriales en vídeo
Base de datos
Empresas
Información general
Últimas noticias
Base de datos
Laboratorio de virus
Descripciones de virus
Estadísticas
Historial de VDF
Glosario de virus
Virus "In the Wild"
Enviar archivo sospechoso
Descarga
Descarga de productos
Documentación técnica
Ciclo de vida de los productos
Actualización VDF
Socios
Busque un socio
Registrarse como socio Avira
Afiliados
Free
Descargar
Búsqueda
Resumen
Descripción completa
Estadísticas
Alias:
Backdoor.Dumador.e, PWS-Narod, IRC Trojan
Type:
Worm
Size:
~ 33 KB
Origin:
Date:
00-00-0000
Damage:
Sent by email.
VDF Version:
Danger:
Low
Distribution:
Low
Distribution
It collects email adresses from files of type: .htm, .wab, .html, .dbx, .tbb and .abd. It uses its own SMTP engine to spread by email. The email has the following structure:
From: "Microsoft" %security@microsoft.com%
Subject: Use this patch immediately !
Body: Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!
Attachment: Patch.exe
Technical Details
When activated, Worm/Dumaru.B3 copies itself as:
%WinDir%\Dllreg.exe
%SystemDIR%\Load32.exe
%SystemDIR%\Vxdmgr32.exe
%Startup%\Rundllw.exe
It creates %WinDIR%\Windrive.exe (12,288 Bytes), which is an IRC Trojan. The worm connects to a predefined IRC server, for receiving on a special port its author's instructions.
The worm creates %WinDIR%\Winload.log, for saving the collected addresses.
It makes the following autostart registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load32"="%WinDIR%\load32.exe"
It also changes the following registries:
HKEY_LOCAL_MACHINE\SOFTWARE\SARS "kwmfound" HKEY_Current_User\Software\Microsoft\WindowsNT\CurrentVersion\Windows "Run"="C:\%WinDIR%\Dllreg.exe"
Then it enters the following registry keys:
HKEY_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon "Shell" = "C:\%WinDIR%\Dllreg.exe"
"Shell" = "C:\%SystemDIR%\Load32.exe"
"Shell" = "C:\%SystemDIR%\Vxdmgr32.exe"
"Shell" = "C:\%Startupdir%\Rundllw.exe"
It changes the [windows] section of win.ini file into:
[windows]run=%WinDIR%\dllreg.exe
and the [boot] section, into:
[boot]shell=explorer.exe %System%\vxdmgr32.exe
The worm tries to infect all .exe files on drives C: to Z:.
It listens on TCP port 10000 for further instructions:
mkd: "Create a directory on the infected machine"
rmd: "Remove directory on the infected machine"
port: "Change the port to the port specified"
and on TCP port 1001 for:
!exec: "Execute program on the infected machine"
!cdopen: "Open the CD-ROM on the infected machine"
!sndplay: "Play a sound on the infected machine"
It tries to collect all clipboard information into %WinDIR%\Rundllx.sys. Then, it looks for .kwm files, saves their contents in %Windir%\Rundlln.sys and sends email format files containing the stolen information to a certain FTP server.
The worm terminates the following processes:
Agentsvr.exe
Ants.exe
Aplica32.exe
Apvxdwin.exe
Atcon.exe
Atupdater.exe
Atwatch.exe
Avsynmgr.exe
Blackd.exe
Blackice.exe
Cfiadmin.exe
Cfiaudit.exe
Cfinet.exe
Cfinet32.exe
Defwatch.exe
Drwatson.exe
Fast.exe
Frw.exe
Guard.exe
Iamapp.exe
Iamserv.exe
Icload95.exe
Icloadnt.exe
Icmon.exe
Icsupp95.exe
Icsuppnt.exe
Lockdown.exe
Lockdown2000.exe
Luall.exe
Lucomserver.exe
Mcagent.exe
Mcupdate.exe
Mgui.exe
Minilog.exe
Moolive.exe
Msconfig.exe
Mssmmc32.exe
Ndd32.exe
Netstat.exe
Nisserv.exe
Nisum.exe
Nmain.exe
Nprotect.exe
Nsched32.exe
Nvarch16.exe
Pavproxy.exe
Pcciomon.exe
Pcfwallicon.exe
Persfw.exe
Poproxy.exe
Pview95.exe
Regedit.exe
Rtvscn95.exe
Safeweb.exe
Sphinx.exe
Spyxx.exe
Ss3edit.exe
Sysedit.exe
Taumon.exe
Tc.exe
Tca.exe
Tcm.exe
Tds2-98.exe
Tds2-nt.exe
Tds-3.exe
Update.exe
Vpc42.exe
Vptray.exe
Vsecomr.exe
Vshwin32.exe
Vsmain.exe
Vsmon.exe
Vsstat.exe
Watchdog.exe
Webscanx.exe
Wgfe95.exe
Wradmin.exe
Wrctrl.exe
Wrctrl.exe
Zapro.exe
Zatutor.exe
Zauinst.exe
Zonealarm.exe
Descripción insertada por Crony Walker el martes 15 de junio de 2004
Volver
.
.
.
.
