high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 26 April 2005 04:00:10 (GMT) |
| Last updated | 3 June 2005 20:00:44 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.
More Information
Troj/Dumaru-BE is a password stealing Trojan for the Windows platform.
When run, the Trojan drops the files dvpd.dll, prntsvra.dll and winsms.dll to the Windows folder and moves itself to the Windows system folder as winldra.exe. Sophos's anti-virus products detect prntsvra.dll as Troj/Dumaru-BD while all remaining files are detected as Troj/Dumaru-BE.
The Trojan remains memory resident by hooking into the explorer process. Troj/Dumaru-BE monitors active window texts for the following strings:
2082
365online.co
abbey.co
about:bl
aeacu.com
alliance-leicesterbusinessbanking.co
bankofscotland.co
barclays.co
box
citibank.com
etrade.co
exchange
firstdirect.co
halifax.co
hsbc.co
https:
lloydstsb.co
login
mail
natwest.co
netmastergold.co
post
rbs.co
smile.co
Symbol sequence:
virginone.co
zurichbank.co
The Trojan logs keypresses and sends the captured information to a remote user as an HTTP POST web form.
Troj/Dumaru-BE appends the following data to the HOSTS file (typically located in <Windows system folder>\Drivers\ETC\HOSTS) in an attempt to block access to certain websites:
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1 www.symantec.com
|
