high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | May 2006 (4.05) |
| Protection available since | 8 March 2006 03:47:19 (GMT) |
| Last updated | 17 March 2006 11:10:36 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dumaru-BZ is a Trojan with password stealing capabilities. Troj/Dumaru-BZ is a Trojan with password stealing capabilities.
When first run Troj/Dumaru-BZ copies itself to the Windows System folder as winldra.exe and creates the following registry entry so as to run itself on user logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load32
<System>\winldra.exe
The following files may also be created:
<Windows>\dvpd.dll
<Windows>\sendlogs_dat
<Windows>\dvp.log
<Windows>\prntk.log
<Windows>\prntc.log
<Windows>\netdx.dat
<Temp>\fe43e701.htm
The files sendlogs_dat, dvp.log, prntk.log, prntc.log, netdx.dat and fe43e701.htm are non-malicious and may be safely deleted.
dvpd.dll is also being detected by Sophos as Troj/Dumaru-BZ.
Troj/Dumaru-BZ captures clipboard data, window text, cached passwords and confidential information from the protected storage area of Windows.
The Trojan has the ability to log keystrokes.
The Trojan also attempts to steal confidential information related to E-Gold, WebMoney, Total Commander and Far Manager account details as well as TCP/IP Interface settings, Internet Account Manager POP3 user names/passwords and Windows user names.
The Trojan creates the following registry entry:
HKCU\Software\SARS
SocksPort
<random hexadecimal port number>
The Trojan then uses this port number to set up a backdoor listening port to await for commands from a remote user.
The Trojan also changes the settings of Internet Explorer and Windows Explorer by creating the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main
AllowWindowReuse
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
Append Completion
yes
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
AutoSuggest
yes
Troj/Dumaru-BZ also appends the HOSTS file with the following mappings to deny access to anti-virus and security related websites:
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1 www.symantec.com
The Trojan then injects the dropped DLL helper component dvpd.dll into the Windows Explorer process and begins keylogging functionality when Internet Explorer is started.
The keylogged information is then stored in the file prntk.log in the Windows folder. This file is then sent to a pre-configured website as a web form to a pre-configured attacker.
Once this data has been sent, the Trojan sets the following registry entry:
HKCU\Software\SARS
mailsended
<number>
|
