W32/Dumaru-AE

Discussion in 'malware problems & news' started by Marianna, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    I-Worm.Dumaru.p

    Type
    Win32 worm

    W32/Dumaru-AE is a stealthing polymorphic worm that spreads via email and the KaZaA peer-to-peer network. The worm also has backdoor functionality and will steal password and system information from the victim's computer.
    W32/Dumaru-AE arrives as an email with a file attachment named document.zip. Document.zip contains a file named myphoto.jpg<56 spaces>.exe. When this file is executed a file named nload.exe is dropped to the root folder and is executed.

    When the worm is first executed it displays garbage text using Notepad.

    W32/Dumaru-AE copies itself to files named 1111a.exe and 1111c.exe in the Windows system folder and 1111b.exe in the startup folder. The following registry entry is created to ensure that the worm is run when Windows starts up:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = 1111a.exe

    The worm may also set the following line in the system.ini file:
    Shell = explorer.exe <System>\1111c.exe

    W32/Dumaru-AE also copies itself into the KaZaA folder with one of the following filenames and one of the following extensions EXE, SCR, PIF or BAT:
    winamp5
    icq2004-final
    activation_crack
    strip-girl-2.0bdcom_patches
    rootkitXP
    office_crack
    nuke2004

    W32/Dumaru-AE runs as a service process, monitors user activity and will periodically email this information to an attacker. The information collected includes keystroke logs, the contents of the clipboard and system details. The information collected from the victims machine is stored in the log files 1111c.log and 1111k.log.

    W32/Dumaru-AE harvests email addresses from HTM, WAB, HTML, ASP, TXT, DBX, TBB and ABD files and stores found addresses in the file 1111mail.log.

    http://www.sophos.com/virusinfo/analyses/w32dumaruae.html
     
Thread Status:
Not open for further replies.