Details
I-Worm.Dumaru.j
This worm is part of the Dumaru family, which spreads via the Internet as files attached to infected messages. The worm includes a backdoor function and a Trojan program which enables it to steal information. The worm is a Windows PE EXE file, compressed using FSG. The compressed file is approximately 17KB in size, and the decompressed file approximately 43 KB in size.
Installation
When installing, the worm copies itself to the Windows system directory under the names l32.exe and vxd32.exe, and to the startup directory under the name dllxw.exe.
It registers itself in the system register as a key to enable autorun:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32 = %windir%\%system%\l32x.exe
On computers running under Windows 95,98 and ME, the worm changes a section in the system.ini file
[boot]
shell=explorer.exe %System%\vxd32v.exe
Mailing of messages
The worm searches all directories on accessible local disks for files with the extensions: .htm, .wab, .html, .dbx, .tbb, .abd, highlights lines which are email addresses and then sends infected messages to these address. To do this, the worm creates a Zip archive (zip.tmp) in the Windows temporary directory, which will then be added to messages as an attachment.
The worm also creates a file called winload.log in the Windows directory, and writes all email addresses found, to which infected messages have been sent, to this file. Infected messages have the following characteristics:

Sender’s address:
Elene F*****SUICIDE@HOTMAIL.COM
Message header:
Important information for you. Read it immediately !
Message body:
Hi !
Here is my photo, that you asked for yesterday.
Attachment:
myphoto.zip
In order to send messages, the worm uses its own SMTP engine, giving the return address as address@dyandex.ru. All notifications sent by mail scanners about the fact that the worm has been detected in messages will therefore be sent to this address.
Other
The worm opens port 10000 to receive commands for administration of the infected computer. The worm also has a keyboard logging function, and is able to save all information entered via the keyboard to a separate file.
Kaspersky Labs anti-virus databases have already been updated with protection against I-Worm.Dumaru.j.

Related Posts

This entry was posted on Thursday, November 20th, 2008 at 4:15 pm and is filed under Virus Threats.

Details
I-Worm.Dumaru.a

This family of email worms includes I-Worm.Dumaru.b, I-Worm.Dumaru.c. It spreads via the Internet in the form of a file attached to infected messages. It installs a variety of Trojan components on the infected computer.
The worm is only activated if the user launches the infected file by double-clicking on the attachment. Upon launch of the infected file the worm installs itself in the system and launches the replication procedure.
The worm is a Windows PE EXE file compressed using UPX. The size of the compressed file is approximately 9KB and the size of the decompressed file approximately 32KB.
Installation
The worm copies itself under the name load32.exe and vxdmgr32.exe to the Windows system directory and registers one file in the Auto-run key of the system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32 = %windir%\%system%\load32.exe
The worm creates a copy of itself in the Windows directory with the name dllreg.exe and installs to this location the file winrdv.exe (approximately 8KB), a backdoor controlled via IRC. Kaspersky Anti-Virus detects this component as Backdoor.Dumador.c (Backdoor.Small.d). This will be used to connect to the author of the worm via IRC in order to receive commands.

Sending messages
The worm searches for *.TBB, *.ABD, *DBX, *.HTML, *.HTM, *.WAB files in all directories on all accessible local disks. It detects lines which are email addresses in these files, and sends infected messages to these addresses.
The worm also creates the file winload.log in the Windows directory and writes the email addresses which infected messages are being sent to to this file.

Infected messages have the Send address as: security@microsoft.com

Message subject:

Use this patch immediately !
Message body:
Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!
Attachment:
patch.exe
In order to send messages, the worm uses a direct connection to the SMTP server, giving a return address of admin@duma.gov.ru. This means that mail scanner notification that the worm has been detected in messages will be sent to this address.

Infection of files
The worm infects executable files in the root directories of all accessible local disks from C: to Z:. To do this it uses NTFS alternate data streams, a method which was first employed by the Stream virus in 2000.

Related Posts

This entry was posted on Thursday, November 20th, 2008 at 12:15 pm and is filed under Virus Threats.