high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 18 March 2005 20:54:58 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
load32
winldra.exe
and delete it if it exists.
Close the registry editor.
More Information
Troj/Dumaru-AT is a Trojan for the Windows platform that provides backdoor access and control over the computer and sends confidential information to a remote location.
Once executed Troj/Dumaru-AT copies itself to the Windows system folder with the filename winldra.exe, and in order ot be able to run automatically when Windows starts up sets the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
load32
winldra.exe
Troj/Dumaru-AT also creates following files in the Windows folder :
dvpd.dll
netdx.dat
prntsvra.dll
winsms.dll
and in the Windows Temp folder:
fe43e701.htm
where dvpd.dll, prntsvra.dll and winsms.dll are DLL components of the Trojan.
The file prntsvra.dll is a DLL component of Troj/Dumaru-AT which is injected into the Explorer process by the Troj/Dumaru-AT executable.
Troj/Dumaru-AT gathers clipboard data, Window text, cached passwords and confidential information from the system registry, including data stored related to Webmoney, Far Manager, Total Commander ftp and the bat email client.
The file dvpd.dll is used by Troj/Dumaru-AT to monitor the contents of web pages and to capture text within selected internet banking web pages. Troj/Dumaru-AT captues text within browser Windows that are associated with the following strings:
'e-gold.com', 'intgold.com', 'emocorp.com', 'ameritrade.com', 'etrade.co',
'alliance-leicesterbusinessbanking.co', 'lloydstsb.co', '365online.co',
'natwest.co', 'bankofscotland.co', 'barclays.co', 'netmastergold.co', 'rbs.co'
, 'firstdirect.co', 'smile.co', 'hsbc.co', 'virginone.co', 'zurichbank.co',
'abbey.co', 'halifax.co', 'aeacu.com', 'uboc.com', 'enternetbank.com',
'plainscapital.com', 'jacksonstatebank.com' and 'citibank.com'.
Captured text is stored in a log file named dvp.log.
Troj/Dumaru-AT sends captured information to a remote location via email and when this data has been sent Troj/Dumaru-AT creates the registry entry:
HKCU\Software\SARS\mailsended = 1
Troj/Dumaru-AT modifies Windows HOST file in attempt to prevent access to the anti-virus sites from the list below by mapping them to the loopback address 127:0.0.1:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
us.mcafee.com/root/
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
|
