What
is the Dumaru.AD worm?
Dumaru.AD is a multi-threaded,
mass-mailing worm that downloads and runs a file,
runs a keylogger, steals personal information,
and starts an FTP server on port 10000. This
Worm is similar to Dumaru.Z.
The worm uses its own SMTP engine to spread to
the email addresses it finds on an infected
system.
The email has the following characteristics:
From: "Elene" <F**KENSUICIDE@HOTMAIL.COM>
(censored)
Subject: Important information for
you. Read it immediately !
Attachment: Myphoto.zip
The attachment is a zip file that contains the
worm executable as myphoto.jpg <spaces>
.exe". (There are numerous spaces between
".jpg" and ".exe".)
Message:
Hi !
Here is my photo, that you asked for
yesterday.
Also known as: W32.Dumaru.AD@mm, I-Worm.Dumaru.gen,
W32/Dumaru.gen@MM
How
Does Dumaru.AD Infect My System?
When Dumaru.AD is executed, it performs
the following actions:
- Deletes the C:\2.exe file, which is a copy
of the worm, which is Web page drops (See the
Short Description).
- Copies itself as the following files:
- %System%\L32x.exe
- %System%\Vxd32v.exe
- %Startup%\Dllxw.exe
- Creates a zipped copy of itself as %Windir%\Temp\Zip.tmp.
- Creates the following files:
- %Windir%\Winload.log: This file is used
to store the email addresses that the worm
finds. It sends itself to these addresses.
- %Windir%\Vxdload.log: This file is used
to store passwords and other information,
which the user types.
- %Windir%\Rundllx.sys: This file stores
data pasted to the clipboard.
- Adds the value:
"load32"="%System%\l32x.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start
Windows.
- Modifies the [boot] section of the
System.ini file (Windows 95/98/Me only) as
follows:
[boot]
shell=explorer.exe %System%\vxd32v.exe
- Modifies the value:
Shell
in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
from:
"explorer.exe"
to:
"explorer.exe %Windir%\system32\vxd32v.exe"
so that the worm runs when you start Windows
NT/2000/XP.
- Monitors the clipboard and stores the data
pasted to the clipboard in the file, %Windir%\Rundllx.sys.
- Captures keystrokes entered into windows,
with the title "https:/ /www.e-gold.com/srk.asp
- Microsoft Internet Explorer," and then
stores them in the file, %Windir%\Vxdload.log.
- Periodically emails the contents of
Winload.log, Vxdload.log, and Rundllx.sys to
an email address that is hard-coded in the
worm.
- Searches the C drive for the files with the
following extensions:
- .htm
- .wab
- .html
- .dbx
- .tbb
- .abd
and saves any email addresses it finds in
such files to the file, %Windir%\Winload.log.
- Sends an email to each address in the file,
%Windir%\Winload.log, with itself as an
attachment.
The email has the following characteristics:
From: "Elene"
<F**KENSUICIDE@HOTMAIL.COM>
(censored)
Subject: Important information for
you. Read it immediately !
Attachment: myphoto.zip
Message:
Hi !
Here is my photo, that you asked for
yesterday.
The email message contains an IFRAME exploit,
so that Microsoft Outlook will be redirected
to a hard-coded URL, download a downloader of
the worm, save it as C:\x.exe, and then
execute it. The downloader will download
Dumaru.AD, save it as %Windir%\instl.exe,
and then execute it.
- Starts an FTP server on port 10000. This
gives full access to a remote attacker.
How to Remove the Dumaru.AD worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Dumaru.AD during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended. 3. Restarting the computer in Safe mode or
ending the malicious process
4. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
Dumaru.AD, click Delete.
5. Editing the System.ini file
If you are running Windows 95/98/Me, follow these
steps:
- The function you perform depends on your
operating system:
- Windows 95/98: Go to step B.
- Windows Me: If you are running
Windows Me, the Windows Me file-protection
process may have made a backup copy of the
System.ini file that you need to edit. If
this backup copy exists, it will be in the
C:\Windows\Recent folder. Symantec
recommends that you delete this file
before continuing with the steps in this
section. To do this:
- Start Windows Explorer.
- Browse to and select the
C:\Windows\Recent folder.
- In the right pane, select the
System.ini file and delete it. The
System.ini file will be regenerated
when you save your changes to it in
step F.
- Click Start, and then click Run.
- Type the following, and then click OK.
edit c:\windows\system.ini
(The MS-DOS Editor opens.)
NOTE: If Windows is installed in a
different location, make the appropriate path
substitution.
- In the [boot] section of the file,
look for a line similar to:
shell = Explorer.exe C:\WINDOWS\SYSTEM\vxd32v.exe
- If this line exists, delete everything to
the right of Explorer.exe.
When you are done, it should look like:
shell = Explorer.exe
- Click File, and then click Save.
- Click File, and then click Exit.
6. Reversing the changes made to the
registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the value:
"load32"="%System%\l32x.exe""
- Do one of the following:
- If you are using Windows 95/98/Me,
proceed to step i.
- If you are using Windows NT/2000/XP,
proceed to step f.
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
- In the right pane, double-click: Shell
- Change:
"explorer.exe %Windir%\system32\vxd32v.exe"
to:
"explorer.exe"
- Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE
- Exit the Registry Editor.
- Restart the computer into Normal mode.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Worms - 'D':
|
