Posted on 08/18/2003 6:16:48 PM PDT by dfrussell
WORM: W32.Dumaru@mm CONTENTS I. Description II. Technical Details III. Mitigation =========================================================================== I. Description
W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan onto the infected machine. The worm gathers email addresses from certain file types and uses its own SMTP engine to email itself.
The email has the following characteristics:
From: "Microsoft" Subject: Use this patch immediately ! Message: Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! Attachment: patch.exe
This threat is written in the Microsoft C++ programming language and is compressed with UPX.
=========================================================================== II. Technical Details
When W32.Dumaru@mm is executed, it does the following:
1. Copies itself as the following:
%Windir%\dllreg.exe %System%\load32.exe %System%\vxdmgr32.exe
NOTES:
%Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Creates %Windir%\windrv.exe (8,192 bytes), which is an IRC Trojan. When run, it connects to a predefined IRC server and joins a specific channel to listen for commands from the worm's creator.
Creates %Windir%\winload.log, which is a log file. The worm uses this file to store the stolen email addresses.
NOTE: This file is not viral by itself, and therefore, Symantec antivirus products do not detect this file. Manually delete it if your system is infected with this worm.
4. Adds a value:
"load32" = "%Windir%\load32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm runs when you start Windows.
5. Modifies the windows section of win.ini file (Windows 95/98/Me only):
[windows] run=%Windir%\dllreg.exe
6. Modifies the boot section of system.ini file (Windows 95/98/Me only):
[boot] shell=explorer.exe %System%\vxdmgr32.exe
7. Retrieves email addresses from files with the following extensions:
.htm .wab .html .dbx .tbb .abd
8. Uses its own SMTP engine to email itself.
The email has the following characteristics:
From: "Microsoft" Subject: Use this patch immediately ! Message: Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! Attachment: patch.exe
=========================================================================== III. Mitigation
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP). 2. Update the virus definitions. 3. Run a full system scan and delete all the files detected as W32.Dumaru@mm or IRC Trojan. 4. Delete the value that was added to the registry. 5. Remove the lines that the worm added to the Win.ini or System.ini files (Windows 95/98/Me).
For specific details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation.
I'm not sure if I understand your question...
Normally, the people spreading it are infected. They just don't know it until their ISP disconnects them fron the network :)
Human based virii do not require active participation of the carrier to spread. Same here.
As for the builder, he wouldn't really care as he would know how to remove it and would probably infect himself etc. a number of times just to test it.
Sure... and there are lots of people who think someone is an idiot because they don't know what an array of pointers to functions is or why they're used.... or what the difference in 20 words or less is between a meson and a bison.
Never forget that someone, somewhere thinks *you're* an idiot, too :)
Yehp, same applies to me :) :)
I never said they were idiots. I said they deserve to be infected by viruses. And if they stand in the middle of a highway, they deserve to be hit by a car. Same principle.
stalactite=ceiling
stalagmite=ground
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.