| Description:
|
Details
I-Worm.Dumaru.j
This worm is part of the Dumaru family, which spreads via the Internet as files attached to infected messages. The worm includes a backdoor function and a Trojan program which enables it to steal information. The worm is a Windows PE EXE file, compressed using FSG. The compressed file is approximately 17KB in size, and the decompressed file approximately 43 KB in size.
Installation
When installing, the worm copies itself to the Windows system directory under the names l32.exe and vxd32.exe, and to the startup directory under the name dllxw.exe.
It registers itself in the system register as a key to enable autorun:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
load32 = %windir%%system%l32x.exe
On computers running under Windows 95,98 and ME, the worm changes a section in the system.ini file
[boot]
shell=explorer.exe %System%vxd32v.exe
Mailing of messages
The worm searches all directories on accessible local disks for files with the extensions: .htm, .wab, .html, .dbx, .tbb, .abd, highlights lines which are email addresses and then sends infected messages to these address. To do this, the worm creates a Zip archive (zip.tmp) in the Windows temporary directory, which will then be added to messages as an attachment.
The worm also creates a file called winload.log in the Windows directory, and writes all email addresses found, to which infected messages have been sent, to this file. Infected messages have the following characteristics:
Sender's address:
Elene F*****SUICIDE@HOTMAIL.COM
Message header:
Important information for you. Read it immediately !
Message body:
Hi !
Here is my photo, that you asked for yesterday.
Attachment:
myphoto.zip
In order to send messages, the worm uses its own SMTP engine, giving the return address as address@dyandex.ru. All notifications sent by mail scanners about the fact that the worm has been detected in messages will therefore be sent to this address.
Other
The worm opens port 10000 to receive commands for administration of the infected computer. The worm also has a keyboard logging function, and is able to save all information entered via the keyboard to a separate file.
Kaspersky Labs anti-virus databases have already been updated with protection against I-Worm.Dumaru.j. |
