W32/Dumaru.B@mm
Analysis
- Virus is 32bit with a compressed file size of 34,304
bytes and may infect files under NTFS
- If virus is run, it will copy itself to the local
system in four places -
undefinedWindowsundefined\dllreg.exe
undefinedWindowsundefined\System\load32.exe
undefinedWindowsundefined\System\vxdmgr32.exe
undefinedUserundefined\Start Menu\Programs\Startup\rundllw.exe
-
The virus will act as an IRC bot, and will attempt to connect with an IRC server using TCP port 6667 to the IP address 82.146.56.77 and join the channel "#shogunn ball2003" - here it will await instructions from a hacker or group of hackers
-
Some of the command supported are the following -
!exec - run a binary
!quit - disconnect
!cdopen - open CD tray
!cdclose - close CD tray
!sndplay - play audio file
!msgbox - display "THIS MACHINE IS CRACKED"
!screen - capture screen
-
The virus will scavenge the hard drive seeking email addresses from files with these extensions -
.htm
.wab
.html
.dbx
.tbb
.abd
-
The virus will create an email message in the following MIME format and send it to each address found -
From: "Microsoft" (security@microsoft.com)
Subject: Use this patch immediately !
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
--xxxx
Content-Type: text/plain;
Content-Transfer-Encoding: 7bitDear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!--xxxx
Content-Type: application/download
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=patch.exe
-
The virus will modify the registry to load at next Windows startup as in these examples -
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"run" = C:\WINNT\dllreg.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"load32" = C:\WINNT\System32\load32.exe
-
On Windows 2000/NT, the virus may modify the registry to load the virus as an accomplice to the Explorer application -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = explorer.exe C:\WINNT\System32\vxdmgr32.exe
-
On Windows 98 systems, the WIN.INI may be modified to load "vxdmgr32.exe"
-
The virus may write additional files to the infected system -
c:\WINNT\guid32.dll (4,096 bytes) - a keylogger
c:\WINNT\windrive.exe (8192 bytes) - an IRC bot, known as "W32/Silentlog-tr"
-
The virus contains instructions to send password information to an email address at the domain "duma.gov.ru" - this domain is the derivative of the virus name
-
The email will contain sensitive data and might be detailed in this format -
MIME-Version: 1.0
Content-Type: multipart/mixed;
tboundary="x1234"--x1234
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bitIP address:
*** Far Manager passwords ***
(password detail)
*** Far Manager passwords ends****** WebMoney ID list ***
(webmoney detail)
*** WebMoney ID list ends ***===KEYLOGGER DATA START===
(keylogger detail)
===KEYLOGGER DATA END======CLIPBOARD LOG===
(clipboard detail)
===CLIPBOARD LOG END===*** Protected Storage Data ***
*** Protected Storage Data ends ***
-
The virus contains code which attempt to infect Windows 2000 files on NTFS volumes - the virus will copy itself as the original file name and then place the original file as a stream named ":STR" - this technique was first used with the virus W2K/Streams
-
The virus may seek to terminate the following applications if they are running in memory or as a service -
AGENTSVR.EXE
ANTS.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AVSYNMGR.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
DEFWATCH.EXE
DRWATSON.EXE
FAST.EXE
FRW.EXE
GUARD.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LUALL.EXE
LUCOMSERVER.EXE
MCAGENT.EXE
MCUPDATE.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MSCONFIG.EXE
MSSMMC32.EXE
NDD32.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NPROTECT.EXE
NSCHED32.EXE
NVARCH16.EXE
PAVPROXY.EXE
PCCIOMON.EXE
PCFWALLICON.EXE
PERSFW.EXE
POPROXY.EXE
PVIEW95.EXE
REGEDIT.EXE
RTVSCN95.EXE
SAFEWEB.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
SYSEDIT.EXE
TAUMON.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
UPDATE.EXE
VPC42.EXE
VPTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
WATCHDOG.EXE
WEBSCANX.EXE
WGFE95.EXE
WRADMIN.EXE
WRCTRL.EXE
WRCTRL.EXE
ZAPRO.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONEALARM.EXE
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |