| abstract | - Dumaru is a mass mailer worm that installs a remote control and keylogger trojan. This worm attacks the mail servers of the Duma, the Russian Parliament. It is believed by some to have caused billions in damage.
- The worm arrives in an email encouraging users to open an attachment. The sender line will say "Microsoft" with the email address secutrity@microsoft.com. The subject line says "Use this patch immediately !". The message body says "Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!" The attachment is named patch.exe and is 9,216 bytes long. When executed, the worm copies itself as dllreg.exe into the Windows folder, load32.exe and vxdmgr32.exe to the Windows system folder. The worm drops a windrv.exe into the Windows folder, which is the trojan, Narod.A, that is both a keylogger and a remote controller. When run, it connects to an IRC server and joins a channel to listen for commands from the worm's creator. It then creates the file winload.log, which stores email addresses. Dumaru adds the value "load32 = (Windows Directory)\load32.exe" the local machine registry key that causes the worm to run whenever the system starts. In Windows NT/2000/XP only, it adds the value "Run = C:\WINNT\dllreg.exe" to the current user registry key and the worm's choice of "Shell = C:\(Windows Directory)\dllreg.exe", "Shell = C:\(System directory)\load32.exe" or "Shell = C:\(System directory)\Vxdmgr32.exe" to the local machine registry key dealing with logons. In Windows 95/98/ME only, it modifies the windows section of the win.ini file (adds "run=(Windows directory\dllreg.exe") and the boot section of the system.ini file (adds "shell=explorer.exe (System directory)\vxdmgr32.exe"). Dumaru then retrieves email addresses from files on the system with the following extensions: .htm, .wab, .html, .dbx, .tbb and .abd, then uses its own SMTP engine to mail itself. The worm contains a viral component that infects Portable Executable files on the root directory (the "top" of drive C:, not inside any folders). It intends to infect all executables, but a bug in its code restricts it to the root directory. Dumaru takes advantage of hair-trigger alert notifications in many antivirus and filtering products. Rather than recognizing the infected email as a mass-mailing worm and simply discarding it, many popular security solutions send notifications to the sender, recipient, and/or system administrator. Dumaru falsifies the header information contained in the email, directing the Return-Path to admin@duma.gov.ru, launching a DoS attack on the mail servers of the Russian legislature.
|
