W32/Dumaru.B@mm

undefinedWindowsundefined\dllreg.exe
undefinedWindowsundefined\System\load32.exe
undefinedWindowsundefined\System\vxdmgr32.exe
undefinedUserundefined\Start Menu\Programs\Startup\rundllw.exe

The virus will act as an IRC bot, and will attempt to connect with an IRC server using TCP port 6667 to the IP address 82.146.56.77 and join the channel "#shogunn ball2003" - here it will await instructions from a hacker or group of hackers

Some of the command supported are the following -

!exec - run a binary
!quit - disconnect
!cdopen - open CD tray
!cdclose - close CD tray
!sndplay - play audio file
!msgbox - display "THIS MACHINE IS CRACKED"
!screen - capture screen

The virus will scavenge the hard drive seeking email addresses from files with these extensions -

.htm
.wab
.html
.dbx
.tbb
.abd

The virus will create an email message in the following MIME format and send it to each address found -

From: "Microsoft" (security@microsoft.com)
Subject: Use this patch immediately !
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
--xxxx
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

--xxxx
Content-Type: application/download
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=patch.exe

The virus will modify the registry to load at next Windows startup as in these examples -

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"run" = C:\WINNT\dllreg.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"load32" = C:\WINNT\System32\load32.exe

On Windows 2000/NT, the virus may modify the registry to load the virus as an accomplice to the Explorer application -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = explorer.exe C:\WINNT\System32\vxdmgr32.exe

On Windows 98 systems, the WIN.INI may be modified to load "vxdmgr32.exe"

The virus may write additional files to the infected system -

c:\WINNT\guid32.dll (4,096 bytes) - a keylogger
c:\WINNT\windrive.exe (8192 bytes) - an IRC bot, known as "W32/Silentlog-tr"

The virus contains instructions to send password information to an email address at the domain "duma.gov.ru" - this domain is the derivative of the virus name

The email will contain sensitive data and might be detailed in this format -

MIME-Version: 1.0
Content-Type: multipart/mixed;
tboundary="x1234"

--x1234
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

IP address:

*** Far Manager passwords ***
(password detail)
*** Far Manager passwords ends***

*** WebMoney ID list ***
(webmoney detail)
*** WebMoney ID list ends ***

===KEYLOGGER DATA START===
(keylogger detail)
===KEYLOGGER DATA END===

===CLIPBOARD LOG===
(clipboard detail)
===CLIPBOARD LOG END===

*** Protected Storage Data ***

*** Protected Storage Data ends ***

The virus contains code which attempt to infect Windows 2000 files on NTFS volumes - the virus will copy itself as the original file name and then place the original file as a stream named ":STR" - this technique was first used with the virus W2K/Streams

The virus may seek to terminate the following applications if they are running in memory or as a service -
AGENTSVR.EXE
ANTS.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AVSYNMGR.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
DEFWATCH.EXE
DRWATSON.EXE
FAST.EXE
FRW.EXE
GUARD.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LUALL.EXE
LUCOMSERVER.EXE
MCAGENT.EXE
MCUPDATE.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MSCONFIG.EXE
MSSMMC32.EXE
NDD32.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NPROTECT.EXE
NSCHED32.EXE
NVARCH16.EXE
PAVPROXY.EXE
PCCIOMON.EXE
PCFWALLICON.EXE
PERSFW.EXE
POPROXY.EXE
PVIEW95.EXE
REGEDIT.EXE
RTVSCN95.EXE
SAFEWEB.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
SYSEDIT.EXE
TAUMON.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
UPDATE.EXE
VPC42.EXE
VPTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
WATCHDOG.EXE
WEBSCANX.EXE
WGFE95.EXE
WRADMIN.EXE
WRCTRL.EXE
WRCTRL.EXE
ZAPRO.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONEALARM.EXE