{"id":570846,"date":"2022-07-13T17:21:39","date_gmt":"2022-07-13T17:21:39","guid":{"rendered":"http:\/\/yorunoteiou.com\/?p=570846"},"modified":"2022-07-13T17:21:39","modified_gmt":"2022-07-13T17:21:39","slug":"dumaru-removal-tool-2022","status":"publish","type":"post","link":"http:\/\/yorunoteiou.com\/?p=570846","title":{"rendered":"Dumaru Removal Tool 2022"},"content":{"rendered":"

Dumaru Removal Tool is a lightweight application that can completely erase the Win32.Dumaru worm in all its variants.
\nWin32.Dumaru.A@mm arrives as a fake email from Microsoft:
\nFrom: “Microsoft” security@microsoft.com
\nSubject: Use this patch immediately !
\nBody:
\nDear friend , use this Internet Explorer patch now!
\nThere are dangerous virus in the Internet now!
\nMore than 500.000 already infected!
\nAttachment: patch.exe
\nWhen executed, the virus will do the following:
\nCopy itself as:
\n%SYSTEM%\load32.exe
\n%WINDOWS%\dllreg.exe
\n%SYSTEM%\vxdmgr32.exe
\nDrops and executes a backdoor component
\n%WINDOWS%\windrv.exe (8192 bytes)
\nwhich connects to a IRC server and joins a password protected channel, sends a login notice and waits for the author to issue commands.
\nCreates the value
\n“load32″=”%SYSTEM%\load32.exe”
\nin the registry key
\n[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
\nOn Windows 9x\/Me systems, it does the following:
\nuses RegisterServiceProcess to hide its presence;
\nmodifies system.ini by adding the entry in the [Boot] section:
\nshell=explorer.exe %System%\vxdmgr32.exe
\nmodifies win.ini by adding the following entry in the [Windows] section:
\nrun=C:\WINDOWS\dllreg.exe
\nHarvests e-mail addresses from files matching
\n*.htm
\n*.wab
\n*.html
\n*.dbx
\n*.tbb
\n*.abd
\nand stores them in %WINDOWS%\winload.log file.
\nIt uses it’s own SMTP engine and sends itself to the e-mails harvested in winload.log file (see above for the infected e-mail format).
\nIt searches for *.exe files belonging to several antivirus\/security products and attempts to overwrite them with copies of the virus.
\nWin32.Dumaru.B\/C@mm is a mass mailer that has backdoor abilities (listens on TCP ports 1001, 2283, 10000) and also comes with a keylogger.
\nAttempts to terminate processes belonging to several security and antivirus programs.
\nOn NTFS partitions, it may overwrite .exe files with copies of the virus.
\nIt spreads using this format:
\nFrom:
\nsecurity@microsoft.com
\nSubject:
\nUse this patch immediately !
\nBody:
\nDear friend , use this Internet Explorer patch now!
\nThere are dangerous virus in the Internet now!
\nMore than 500.000 already infected!
\nAttachment:
\npatch.exe
\nOnce run, the virus does the following:
\n1. Creates the aforementioned files and registry keys\/entries.
\n2. Attempts to terminate processes:
\nZAUINST.EXE
\nZAPRO.EXE
\nZONEALARM.EXE
\nZATUTOR.EXE
\nMINILOG.EXE
\nVSMON.EXE
\nLOCKDOWN.EXE
\nANTS.EXE
\nFAST.EXE
\nGUARD.EXE
\nTC.EXE
\nSPYXX.EXE
\nPVIEW95.EXE
\nREGEDIT.EXE
\nDRWATSON.EXE
\nSYSEDIT.EXE
\nNSCHED32.EXE
\nMOOLIVE.EXE
\nTCA.EXE
\nTCM.EXE
\nTDS-3.EXE
\nSS3EDIT.EXE
\nUPDATE.EXE
\nATCON.EXE
\nATUPDATER.EXE
\nATWATCH.EXE W
\nGFE95.EXE
\nPOPROXY.EXE
\nNPROTECT.EXE
\nVSSTAT.EXE
\nVSHWIN32.EXE
\nNDD32.EXE
\nMCAGENT.EXE
\nMCUPDATE.EXE
\nWATCHDOG.EXE
\nTAUMON.EXE
\nIAMAPP.EXE
\nIAMSERV.EXE
\nLOCKDOWN2000.EXE
\nSPHINX.EXE
\nWEBSCANX.EXE
\nVSECOMR.EXE
\nPCCIOMON.EXE
\nICLOAD95.EXE
\nICMON.EXE
\nICSUPP95.EXE
\nICLOADNT.EXE
\nICSUPPNT.EXE
\nFRW.EXE
\nBLACKICE.EXE
\nBLACKD.EXE
\nWRCTRL.EXE
\nWRADMIN.EXE
\nWRCTRL.EXE
\nPCFWALLICON.EXE
\nAPLICA32.EXE
\nCFIADMIN.EXE
\nCFIAUDIT.EXE
\nCFINET32.EXE
\nCFINET.EXE
\nTDS2-98.EXE
\nTDS2-NT.EXE
\nSAFEWEB.EXE
\nNVARCH16.EXE
\nMSSMMC32.EXE
\nPERSFW.EXE
\nVSMAIN.EXE
\nLUALL.EXE
\nLUCOMSERVER.EXE
\nAVSYNMGR.EXE
\nDEFWATCH.EXE
\nRTVSCN95.EXE
\nVPC42.EXE
\nVPTRAY.EXE
\nPAVPROXY.EXE
\nAPVXDWIN.EXE
\nAGENTSVR.EXE
\nNETSTAT.EXE
\nMGUI.EXE
\nMSCONFIG.EXE
\nNMAIN.EXE
\nNISUM.EXE
\nNISSERV.EXE
\n3. On Windows 9x\/Me systems, alters win.ini and system.ini in order to run at startup.
\n[windows]
\nrun=%WINDOWS%\dllreg.exe
\n[boot]
\nshell=explorer.exe %SYSTEM%\vxdmgr32.exe
\n4. Harvests e-mail addresses by searching inside:
\n.htm
\n.wab
\n.html
\n.dbx
\n.tbb
\n.abd
\nand attempts to send itself using the e-mail format described above, using it’s own SMTP engine and the default SMTP address.
\n5. Attempts to infect .exe files on NTFS partitions, but due to a bug in the search, it will only infect .exe file on the root of drives.
\n6. Connects to an IRC server, and joins a channel, listens on ports 1001, 10000 (TCP) for commands from an attacker. Also, port 2283 (TCP) is used as a send through (like a proxy).
\n7. Captures and logs the clippboard to %WINDOWS%\rundllx.sys
\n8. Captures and logs keystrokes (but also program name) to %WINDOWS%\vxdload.log
\n9. Attempts to connect to a ftp server and upload a .eml file that contains passwords and other informations.
\nWin32.Dumaru.Y@mm is a worm that comes by mail in the following message:
\nFrom: “Elene”
\nSubject: Important information for you. Read it immediately !
\nBody:
\nHi !
\nHere is my photo, that you asked for yesterday.
\nAttachment: MYPHOTO.JPG .EXE
\nThe worm copies itself to Windows System folder with names L32X.EXE and VXD32V.EXE and in the StartUp folder with the name DLLXW.EXE, adds the registry key:
\nHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 = L32X.EXE
\nAlso it adds to the shell line (in SYSTEM.INI on Windows 95, 98 and Me, or in the registry on Windows NT, 2000 and XP):
\nShell = %SYSTEMDIR%\vxd32.exe
\nA keylogger and clipboard monitor is also installed, and the worm listens for commands on port 2283 and opens a FTP server on port 10000.
\nThe mass-mailing component collects e-mail addresses from files with extensions .htm, .wab, .html, .dbx, .tbb, .abd and sends e-mails using its own sending engine.<\/p>\n

<\/p>\n

 <\/p>\n