Alias:I-Worm.Dumaru.c, PWS-Narod, IRC Trojan
Size:34,304 Bytes 
Damage:Sent by email. 
VDF Version:  

DistributionIt collects email adresses from files of type: .htm, .wab, .html, .dbx, .tbb and .abd. It uses its own SMTP engine to spread by email. The email has the following structure:

From: "Microsoft" %security@microsoft.com%
Subject: Use this patch immediately !
Body: Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!
Attachment: Patch.exe

Technical DetailsWhen activated, Worm/Dumaru.K copies itself as:

It creates %WinDIR%\Windrive.exe (8,192 Bytes), which is an IRC Trojan. The worm connects to a predefined IRC server, for receiving on a special port its author's instructions.

The worm creates %WinDIR%\Winload.log, for saving the collected addresses.
It makes the following autostart registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load32"="%WinDIR%\load32.exe"

It also changes the following entry:
HKEY_Current_User\Software\Microsoft\WindowsNT\CurrentVersion\Windows "Run"="C:\%WinDIR%\dllreg.exe"

It changes the [windows] section of win.ini file into:
and the [boot] section, into:
[boot]shell=explorer.exe %System%\vxdmgr32.exe

The worm tries to infect all .exe files on drives C: to Z:.
It listens on TCP port 10000 for further instructions:
mkd: "Create a directory on the infected machine"
rmd: "Remove directory on the infected machine"
port: "Change the port to the port specified"
and on TCP port 1001 for:
!exec: "Execute program on the infected machine"
!cdopen: "Open the CD-ROM on the infected machine"
!sndplay: "Play a sound on the infected machine"

It tries to collect all clipboard information into %WinDIR%\Rundllx.sys.
The file %WinDIR%\Guid32.dll is used for entries into %WinDIR%\Vxdload.log.
Then, it looks for .kwm files, saves their contents in %Windir%\Rundlln.sys and sends email format files containing the stolen information to a certain FTP server.
説明の挿入者 Crony Walker の 2004年6月15日火曜日

戻る . . . .
https:// このウィンドウは暗号化されています。