Email-Worm.Win32.Dumaru

Detect Date 09/25/2003
Class Email-Worm
Platform Win32
Description

This family of email worms includes I-Worm.Dumaru.b, I-Worm.Dumaru.c. It spreads via the Internet in the form of a file attached to infected messages. It installs a variety of Trojan components on the infected computer.

The worm is only activated if the user launches the infected file by double-clicking on the attachment. Upon launch of the infected file the worm installs itself in the system and launches the replication procedure.

The worm is a Windows PE EXE file compressed using UPX. The size of the compressed file is approximately 9KB and the size of the decompressed file approximately 32KB.

Installation

The worm copies itself under the name load32.exe and vxdmgr32.exe to the Windows system directory and registers one file in the Auto-run key of the system registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun



  load32 = %windir%%system%load32.exe

The worm creates a copy of itself in the Windows directory with the name dllreg.exe and installs to this location the file winrdv.exe (approximately 8KB), a backdoor controlled via IRC. Kaspersky Anti-Virus detects this component as Backdoor.Dumador.c (Backdoor.Small.d). This will be used to connect to the author of the worm via IRC in order to receive commands.

Sending messages

The worm searches for *.TBB, *.ABD, *DBX, *.HTML, *.HTM, *.WAB files in all directories on all accessible local disks. It detects lines which are email addresses in these files, and sends infected messages to these addresses.

The worm also creates the file winload.log in the Windows directory and writes the email addresses which infected messages are being sent to to this file.

Infected messages have the Send address as: security@microsoft.com

Message subject:

Use this patch immediately !

Message body:

Dear friend , use this Internet Explorer patch now!

There are dangerous virus in the Internet now!

More than 500.000 already infected!

Attachment:

patch.exe

In order to send messages, the worm uses a direct connection to the SMTP server, giving a return address of admin@duma.gov.ru. This means that mail scanner notification that the worm has been detected in messages will be sent to this address.

Infection of files

The worm infects executable files in the root directories of all accessible local disks from C: to Z:. To do this it uses NTFS alternate data streams, a method which was first employed by the Stream virus in 2000.