0x8007007E
0x8007007E 0x8007007E

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

Windows Virus

Dumaru-A with Patch.exe

 

New Windows Virus - Dumaru-A

 

This is a "mass-mailer" worm which was discovered on 19th of August, 2003.

The Dumaru worm arrives in an email pretending to be a security patch (patch.exe)
from Microsoft. In reality, it is a mass-mailing email worm that installs a backdoor
component onto infected systems.

Narod-B is the "backdoor component." It is a Trojan that attempts to
connect to an IRC port 6667 of a predefined server.

If the logon is successful Narod-B will listen for commands issued by
the attacker on the channel...!

E.g  It will attempt to steal data from your PC etc...
 

Dumaru-A Details

When first run the worm infects the system by placing several of its copies
in the system.

One copy goes to the System Directory as 'load32.exe' which is added to
the registry as

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

Another copy of the worm is placed to the Windows Directory using the
file name 'dllreg.exe' and added to 'win.ini' as follows:

 [windows]
 Run=dllreg.exe
 

The third one is copied to System Directory as 'vxdmgr32.exe' which is
registered to 'system.ini':

 [Boot]
 Shell=explorer vxdmgr32.exe
 

The backdoor Trojan is dropped to the Windows directory as 'windrv.exe' and started.

 

How Does Dumaru-A Spread?

Dumaru-A uses its own SMTP engine to send emails with infected attachments. The worm searches for email addresses on all drives - in files with the following extensions:

 .htm
 .wab
 .html
 .dbx
 .tbb
 .abd
 

Using its SMTP engine Dumaru-A sends infected emails to the addresses it collected. The infected emails have the following appearance:

 From: "Microsoft" <security@microsoft.com>
 Subject: Use this patch immediately !
 

 Dear friend , use this Internet Explorer patch now!
 There are dangerous virus in the Internet now!
 More than 500.000 already infected!
 

And contain the attachment: patch.exe

Dumaru-A
This example does not show patch.exe as it has been blocked by Outlook XP
 

The email addresses the worm collects are written to a file called 'winload.log' in the Windows Directory.

 

Dumaru-A Infection

If your system is infected with Dumaru-A - then you need to be aware the Dumaru-A worm also contains a viral component that infects PE_EXE files on the root of the local drive. For this reason, manual removal of the worm is not recommended. Instead, use YOUR antivirus software updated after August 19, 2003 to detect and disinfect Dumaru.

I hope this article was useful.. Sign Up For My Windows XP Newsletter for more tips and advice!

Regards

Marc Liron
 marc@updatexp.com


Enjoyed the article?
Please consider making a $2.49 donation to keep
this website running...

 

 

Need a regular dose of Windows XP Articles?

Sign Up For The 1st Windows XP Talking Newsletter!

  • Windows XP News
  • Windows XP Tips
  • Patch Update News
  • Info on Internet Explorer and Outlook Express
  • Windows Media Player Plugin Reviews
  • And so much more......

 

Get regular Windows XP news and tips -
 make XP work the way YOU want it to work!

First name 

E-mail address

Don't worry -- your e-mail address is totally secure.
I promise to use it only to send you Update XPress
and special XP related bulletins.

Here is my site Privacy Policy



 

The views on this website are my own and not that of Microsoft.
I am not responsible for the content of any sites linked to.
ALL information is provided "As Is"

This page was last updated 20th August 2003

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

Dumaru-A and patch.exe

 www.updatexp.com - Marc Liron - 2003