Description
Cleaning Utility Available: To download ClnDumaru.zip - a utility that cleans a local machine affected by Win32.Dumaru, please click here.
This tool scans all active processes and all drives on the local machine. It then proceeds to restore registry settings modified by the worm. Certain files may be renamed by the cleaning utility. In addition, files may be "locked" by Windows and a reboot may be required to completely clean the system.
Please view the Removal Instructions for your CA Antivirus Solution (below) to ascertain whether you require the cleaning utility.
Warning: Before running ClnDumaru.com, please ensure that you carefully review the ReadMe.txt instruction file that accompanies this utility.
--------------------
Win32.Dumaru is an Internet worm that spreads via e-mail. It also infects EXE files storing the host file in an alternate NTFS stream, and drops an IRC bot trojan onto the affected system.
Method of Installation
When executed, Dumaru creates a global atom called Program12345, that it uses as an infection marker, and quits if it already exists. It then copies itself to:
%System%\load32.exe
%System%\vxdmgr32.exe
%Windows%\dllreg.exe
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Dumaru sets the following registry value to ensure that the worm is run at each Windows restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32="%system%\load32.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = "%Windows%\dllreg.exe"
The run key in WIN.INI is modified to run %windows%\dllreg.exe upon startup:
[windows]
run=%windows%\dllreg.exe
The worm also makes similar changes to SYSTEM.INI:
[boot]
shell=explorer.exe %system%\vxdmgr32.exe
Method of Distribution
Via Email
The worm searches an affected machine for addresses to send itself to in files with the following extensions:
.htm
.wab
.html
.dbx
.tbb
.abd
These addresses are stored for the worm's use in:
%windows%\winload.log
The e-mail used by the worm has the following characteristics:
From:
"Microsoft" <security@microsoft.com>
Subject:
Use this patch immediately !
Body:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment:
patch.exe
Payload
Backdoor Functionality
It drops an IRC Bot trojan to: %windows%\windrv.exe. This trojan is detected as Win32.Bambo and is an IRC controlled backdoor that can be used to gain unauthorized access to a victim's machine.
File Infection
On systems using the NTFS file system, Win32.Dumaru infects files using NTFS streams. It infects files named *.EXE as a companion virus, by replacing the file with a copy of itself, and saving the original as an alternate stream called ":STR". For example, when infecting a file called "CALC.EXE", the original host file would be stored in "CALC.EXE:STR".
Warning: Due to bugs in the infection code, Dumaru sometimes replaces files without saving the original host. These files can not be restored.
Analysis by Hamish O'Dea