high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 26 October 2004 09:12:51 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dumaru-D is a backdoor Trojan with keylogging functionality.
In order to run automatically when Windows starts up the Trojan copies itself to the files netda.exe and netdc.exe in the Windows start folder and to netdb.exe in the current user's Start Menu folder. The Trojan also drops a dll file prntsvr.dll in the Windows folder.
Troj/Dumaru-D chooses a random TCP port between 10000 and 60000 on which to run a SOCKS4 proxy server. The Trojan reports this port number to the author via an HTTP form submission on a preconfigured web server.
The Trojan also runs an FTP server on port 10000 and a TCP backdoor on port 1001. The FTP server provides read/write access to all local drives. The TCP backdoor allows a remote attacker to execute arbitrary commands and capture images from the screen or any available webcam.
Troj/Dumaru-D checks for windows containing phrases associated with electronic banking. On finding such a window, the Trojan records any keypresses entered into the window, keeping them in a text file. The contents of this file are then encrypted and submitted to the author by email.
In addition to keyboard logging, the Trojan also attempts to find usernames and passwords for email and FTP accounts by scanning configuration files and registry entries.
Troj/Dumaru-D adds entries to the Windows HOSTS file mapping the following domains to 127.0.0.1 in order to prevent access to them:
www.trendmicro.com
trendmicro.com
rads.mcafee.com
customer.symantec.com
liveupdate.symantec.com
us.mcafee.com
updates.symantec.com
update.symantec.com
www.nai.com
nai.com
secure.nai.com
dispatch.mcafee.com
download.mcafee.com
www.my-etrust.com
my-etrust.com
mast.mcafee.com
ca.com
www.ca.com
networkassociates.com
www.networkassociates.com
avp.com
www.kaspersky.com
www.avp.com
kaspersky.com
www.f-secure.com
f-secure.com
viruslist.com
www.viruslist.com
liveupdate.symantecliveupdate.com
mcafee.com
www.mcafee.com
sophos.com
www.sophos.com
symantec.com
securityresponse.symantec.com
www.symantec.com
The Trojan creates or modifies the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = "C:\Windows\System32\netda.exe"
HKCU\Software\SARS\
SocksPort = <port number>
HKCU\Software\SARS\
mailsended
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Zones\3\
1601 = 0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = "explorer.exe C:\Windows\System32\netdc.exe"
|
