Home / malware Win32.Dumaru.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Dumaru.A@mm is also known as W32.Dumaru@mm, (Symantec.
Explanation :
The virus arrives as a fake email from Microsoft:
From: "Microsoft" security@microsoft.com
Subject: Use this patch immediately !
Body:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: patch.exe
When executed, the virus will do the following:
Copy itself as:
%SYSTEM%load32.exe
%WINDOWS%dllreg.exe
%SYSTEM%vxdmgr32.exe
Drops and executes a backdoor component
%WINDOWS%windrv.exe (8192 bytes)
which connects to a IRC server and joins a password protected channel, sends a login notice and waits for the author to issue commands.
Creates the value
"load32"="%SYSTEM%load32.exe"
in the registry key
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
On Windows 9x/Me systems, it does the following:
uses RegisterServiceProcess to hide its presence;
modifies system.ini by adding the entry in the [Boot] section:
shell=explorer.exe %System%vxdmgr32.exe
modifies win.ini by adding the following entry in the [Windows] section:
run=C:WINDOWSdllreg.exe
Harvests e-mail addresses from files matching
*.htm
*.wab
*.html
*.dbx
*.tbb
*.abd
and stores them in %WINDOWS%winload.log file.
It uses it's own SMTP engine and sends itself to the e-mails harvested in winload.log file (see above for the infected e-mail format).
It searches for *.exe files belonging to several antivirus/security products and attempts to overwrite them with copies of the virus.Last update 21 November 2011
