Contact
A propos d'Avira
Presse
Version bêta
Language:
Français
English
Deutsch
Français
Español
Italiano
Português
Русский
Particuliers
Avira Antivirus Premium
Avira Internet Security
Entreprises
PC/serveurs
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
PME
Services hébergés
Passerelles
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Intégration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding et regroupement
Services d’intégration
Remise Enseignement
Support
Particuliers
Aperçu
Dernières actualités
Tutoriels vidéo
Base de connaissances
Entreprises
Aperçu
Dernières actualités
Base de connaissances
Laboratoire antivirus
Descriptions de virus
Statistiques
Historique VDF
Virus "In the Wild"
Science des virus
Soumettre le Fichier Suspect
Téléchargements
Téléchargement produits
Documentation technique
Cycle de vie des produits
Mise à jour VDF
Partenaires
Trouver un partenaire
Devenir partenaire Avira
Société affiliée
Version gratuite
Télécharger
Rechercher
Brève description
Description complète
Statistiques
Alias:
I-Worm.Dumaru.c, PWS-Narod, IRC Trojan
Type:
Worm
Size:
34,304 Bytes
Origin:
Date:
00-00-0000
Damage:
Sent by email.
VDF Version:
Danger:
Low
Distribution:
Low
Distribution
It collects email adresses from files of type: .htm, .wab, .html, .dbx, .tbb and .abd. It uses its own SMTP engine to spread by email. The email has the following structure:
From: "Microsoft" %security@microsoft.com%
Subject: Use this patch immediately !
Body: Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!
Attachment: Patch.exe
Technical Details
When activated, Worm/Dumaru.K copies itself as:
%WinDir%\Dllreg.exe
%SystemDIR%\Load32.exe
%SystemDIR%\Vxdmgr32.exe
%Startup%\Rundllw.exe
It creates %WinDIR%\Windrive.exe (8,192 Bytes), which is an IRC Trojan. The worm connects to a predefined IRC server, for receiving on a special port its author's instructions.
The worm creates %WinDIR%\Winload.log, for saving the collected addresses.
It makes the following autostart registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load32"="%WinDIR%\load32.exe"
It also changes the following entry:
HKEY_Current_User\Software\Microsoft\WindowsNT\CurrentVersion\Windows "Run"="C:\%WinDIR%\dllreg.exe"
It changes the [windows] section of win.ini file into:
[windows]run=%WinDIR%\dllreg.exe
and the [boot] section, into:
[boot]shell=explorer.exe %System%\vxdmgr32.exe
The worm tries to infect all .exe files on drives C: to Z:.
It listens on TCP port 10000 for further instructions:
mkd: "Create a directory on the infected machine"
rmd: "Remove directory on the infected machine"
port: "Change the port to the port specified"
and on TCP port 1001 for:
!exec: "Execute program on the infected machine"
!cdopen: "Open the CD-ROM on the infected machine"
!sndplay: "Play a sound on the infected machine"
It tries to collect all clipboard information into %WinDIR%\Rundllx.sys.
The file %WinDIR%\Guid32.dll is used for entries into %WinDIR%\Vxdload.log.
Then, it looks for .kwm files, saves their contents in %Windir%\Rundlln.sys and sends email format files containing the stolen information to a certain FTP server.
Description insérée par Crony Walker le mardi 15 juin 2004
Retour
.
.
.
.
