Dumaru Removal Tool

Dumaru Removal Tool is a lightweight application that can completely erase the Win32.Dumaru worm in all its variants.

Win32.Dumaru.A@mm arrives as a fake email from Microsoft:

From: "Microsoft" [email protected]

Subject: Use this patch immediately !

Body:

Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!

Attachment: patch.exe

When executed, the virus will do the following:

Copy itself as: %SYSTEM%\load32.exe %WINDOWS%\dllreg.exe %SYSTEM%\vxdmgr32.exe

Drops and executes a backdoor component

%WINDOWS%\windrv.exe (8192 bytes)

which connects to a IRC server and joins a password protected channel, sends a login notice and waits for the author to issue commands.

Creates the value

"load32"="%SYSTEM%\load32.exe"

in the registry key

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

On Windows 9x/Me systems, it does the following:

uses RegisterServiceProcess to hide its presence;

modifies system.ini by adding the entry in the [Boot] section:

shell=explorer.exe %System%\vxdmgr32.exe

modifies win.ini by adding the following entry in the [Windows] section:

run=C:\WINDOWS\dllreg.exe

Harvests e-mail addresses from files matching

*.htm *.wab *.html *.dbx *.tbb *.abd

and stores them in %WINDOWS%\winload.log file.

It uses it's own SMTP engine and sends itself to the e-mails harvested in winload.log file (see above for the infected e-mail format).

It searches for *.exe files belonging to several antivirus/security products and attempts to overwrite them with copies of the virus.

Win32.Dumaru.B/C@mm is a mass mailer that has backdoor abilities (listens on TCP ports 1001, 2283, 10000) and also comes with a keylogger. Attempts to terminate processes belonging to several security and antivirus programs. On NTFS partitions, it may overwrite .exe files with copies of the virus.

It spreads using this format:

From: [email protected]

Subject: Use this patch immediately !

Body: Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!

Attachment: patch.exe

Once run, the virus does the following:

1. Creates the aforementioned files and registry keys/entries.

2. Attempts to terminate processes:

ZAUINST.EXE ZAPRO.EXE ZONEALARM.EXE ZATUTOR.EXE MINILOG.EXE VSMON.EXE LOCKDOWN.EXE ANTS.EXE FAST.EXE GUARD.EXE TC.EXE SPYXX.EXE PVIEW95.EXE REGEDIT.EXE DRWATSON.EXE SYSEDIT.EXE NSCHED32.EXE MOOLIVE.EXE TCA.EXE TCM.EXE TDS-3.EXE SS3EDIT.EXE UPDATE.EXE ATCON.EXE ATUPDATER.EXE ATWATCH.EXE W GFE95.EXE POPROXY.EXE NPROTECT.EXE VSSTAT.EXE VSHWIN32.EXE NDD32.EXE MCAGENT.EXE MCUPDATE.EXE WATCHDOG.EXE TAUMON.EXE IAMAPP.EXE IAMSERV.EXE LOCKDOWN2000.EXE SPHINX.EXE WEBSCANX.EXE VSECOMR.EXE PCCIOMON.EXE ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE FRW.EXE BLACKICE.EXE BLACKD.EXE WRCTRL.EXE WRADMIN.EXE WRCTRL.EXE PCFWALLICON.EXE APLICA32.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE CFINET.EXE TDS2-98.EXE TDS2-NT.EXE SAFEWEB.EXE NVARCH16.EXE MSSMMC32.EXE PERSFW.EXE VSMAIN.EXE LUALL.EXE LUCOMSERVER.EXE AVSYNMGR.EXE DEFWATCH.EXE RTVSCN95.EXE VPC42.EXE VPTRAY.EXE PAVPROXY.EXE APVXDWIN.EXE AGENTSVR.EXE NETSTAT.EXE MGUI.EXE MSCONFIG.EXE NMAIN.EXE NISUM.EXE NISSERV.EXE

3. On Windows 9x/Me systems, alters win.ini and system.ini in order to run at startup.

[windows] run=%WINDOWS%\dllreg.exe

[boot] shell=explorer.exe %SYSTEM%\vxdmgr32.exe

4. Harvests e-mail addresses by searching inside:

.htm .wab .html .dbx .tbb .abd

and attempts to send itself using the e-mail format described above, using it's own SMTP engine and the default SMTP address.

5. Attempts to infect .exe files on NTFS partitions, but due to a bug in the search, it will only infect .exe file on the root of drives.

6. Connects to an IRC server, and joins a channel, listens on ports 1001, 10000 (TCP) for commands from an attacker. Also, port 2283 (TCP) is used as a send through (like a proxy).

7. Captures and logs the clippboard to %WINDOWS%\rundllx.sys

8. Captures and logs keystrokes (but also program name) to %WINDOWS%\vxdload.log

9. Attempts to connect to a ftp server and upload a .eml file that contains passwords and other informations.

Win32.Dumaru.Y@mm is a worm that comes by mail in the following message:

From: "Elene" Subject: Important information for you. Read it immediately ! Body: Hi !

Here is my photo, that you asked for yesterday.

Attachment: MYPHOTO.JPG .EXE

The worm copies itself to Windows System folder with names L32X.EXE and VXD32V.EXE and in the StartUp folder with the name DLLXW.EXE, adds the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 = L32X.EXE

Also it adds to the shell line (in SYSTEM.INI on Windows 95, 98 and Me, or in the registry on Windows NT, 2000 and XP):

Shell = %SYSTEMDIR%\vxd32.exe

A keylogger and clipboard monitor is also installed, and the worm listens for commands on port 2283 and opens a FTP server on port 10000.

The mass-mailing component collects e-mail addresses from files with extensions .htm, .wab, .html, .dbx, .tbb, .abd and sends e-mails using its own sending engine.