high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 3 June 2004 06:50:50 (GMT) |
| Last updated | 26 August 2005 21:48:25 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Dumaru-AK.
More Information
W32/Dumaru-AK consists of a dropper and a number of dropped files.
The dropper copies itself to the filename UPU.EXE in the Windows system folder. The dropper also drops the files SETUPEX.EXE to the same folder and SVCHOST.EXE to the Windows folder, running them both.
The SVCHOST.EXE file dropped by the dropper is an email and network share worm which also spreads by exploiting the RPC and LSASS vulnerabilities. For more information about these vulnerabilities see MS040-011 and MS03-026.
The email sent by the worm to the email addresses harvested from the PHP, TXT, TBB, HTML and HTM files, has characteristics chosen from the following lists.
Subject line :
RE: order
For you
Hi, Mike
Good offer.
RE:
Message text :
Hi.
Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!
Seya, man.
P.S. Don't forget my fee ;)
Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
Your Liza
My friend gave me this account generator for http://www.pantyola.com I wanna
share it with you :)
And please do not distribute it. It's private.
Greets! I offer you full base of accounts with passwords of mail server
yahoo.com. Here is archive with small part of it . You can see that all
information is real. If you want to b uy full base, please reply me...
Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve
Attached file :
release.exe
demo.exe
AGen1.03.exe
AtlantI.exe
SecUNCE.exe
The worm copies itself into the KaZaA transfer folder and available shared folders with the following filenames:
AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe
The worm also modifies the HOSTS files in an attempt to prevent anti-virus
updates.
The worm listens on port 1250 for incoming connections which may contain updated copies of the worm or other files to install on the infected computer. W32/Dumaru-AK consists of a dropper and a number of dropped files.
The dropper copies itself to the filename UPU.EXE in the Windows system folder. The dropper also drops the files SETUPEX.EXE to the same folder and SVCHOST.EXE to the Windows folder, running them both.
The dropper may display one of the following fake error messages:
CRC checksum failed.
Pace method not implemented.
Could not initialize installation. File size expected=26523, size returned=26344
File is corrupted.
SETUPEX.EXE runs as a service process, copying itself to SWCHOST.EXE and SVOHOST.EXE in the Windows system folder. It sets the following registry entry so as to run the SWCHOST.EXE copy on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32
SETUPEX.EXE sets an entry in the BOOT section of SYSTEM.INI with the key name SHELL in order to run the SWCHOST.EXE copy on system startup.
SETUPEX.EXE copies itself as SVCHOST.EXE to the folder found in the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
and writes loopback values to the HOSTS file to block access to various anti-virus websites.
SETUPEX.EXE sets the following registry entries:
HKCU\Software\SARS\SocksPort
HKLM\System\CurrentControlSet\Services\SharedAccess\Start = 3
HKCU\Software\Microsoft\Internet Explorer\Main\AllowWindowReuse = 0
SETUPEX.EXE logs key strokes and window titles to a file in the Windows folder called PRNTK.LOG and logs information about certain files to RUNDLLN.SYS in the Windows folder.
SETUPEX.EXE drops PRNTSVR.DLL in the Windows folder. PRNTSVR.DLL is a backdoor program detected by Sophos Anti-Virus as Troj/Dumaru-B.
The SVCHOST.EXE file dropped by the dropper is an email and network share worm which also spreads by exploiting the RPC and LSASS vulnerabilities. For more information about these vulnerabilities see MS040-011 and MS03-026.
The email sent by the worm to the email addresses harvested from the PHP, TXT, TBB, HTML and HTM files, has characteristics chosen from the following lists.
Subject line :
RE: order
For you
Hi, Mike
Good offer.
RE:
Message text :
Hi.
Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!
Seya, man.
P.S. Don't forget my fee ;)
Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
Your Liza
My friend gave me this account generator for http://www.pantyola.com I wanna
share it with you :)
And please do not distribute it. It's private.
Greets! I offer you full base of accounts with passwords of mail server
yahoo.com. Here is archive with small part of it . You can see that all
information is real. If you want to b uy full base, please reply me...
Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve
Attached file :
release.exe
demo.exe
AGen1.03.exe
AtlantI.exe
SecUNCE.exe
The worm copies itself into the KaZaA transfer folder and available shared folders with the following filenames:
AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe
The worm adds the following registry entry so that it is run each time Windows
starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvClipRsv
The worm also modifies the HOSTS files in an attempt to prevent anti-virus
updates.
The worm listens on port 1250 for incoming connections which may contain updated copies of the worm or other files to install on the infected computer.
|
