Fandom

Virus Information

Dumaru

245pages on
this wiki
Add New Page
Talk0 Share
Dumaru
Type Mass-mailer worm
Creator
Date Discovered 2003.08.16
Place of Origin Russia
Source Language C++
Platform MS Windows
File Type(s) exe
Reported Costs $3.8 billion

Dumaru is a mass mailer worm that installs a remote control and keylogger trojan. This worm attacks the mail servers of the Duma, the Russian Parliament. It is believed by some to have caused billions in damage.

BehaviorEdit

The worm arrives in an email encouraging users to open an attachment. The sender line will say "Microsoft" with the email address secutrity@microsoft.com. The subject line says "Use this patch immediately !". The message body says "Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!" The attachment is named patch.exe and is 9,216 bytes long.

When executed, the worm copies itself as dllreg.exe into the Windows folder, load32.exe and vxdmgr32.exe to the Windows system folder. The worm drops a windrv.exe into the Windows folder, which is the trojan, Narod.A, that is both a keylogger and a remote controller. When run, it connects to an IRC server and joins a channel to listen for commands from the worm's creator. It then creates the file winload.log, which stores email addresses.

Dumaru adds the value "load32 = (Windows Directory)\load32.exe" the local machine registry key that causes the worm to run whenever the system starts. In Windows NT/2000/XP only, it adds the value "Run = C:\WINNT\dllreg.exe" to the current user registry key and the worm's choice of "Shell = C:\(Windows Directory)\dllreg.exe", "Shell = C:\(System directory)\load32.exe" or "Shell = C:\(System directory)\Vxdmgr32.exe" to the local machine registry key dealing with log-ons. In Windows 95/98/ME only, it modifies the windows section of the win.ini file (adds "run=(Windows directory\dllreg.exe") and the boot section of the system.ini file (adds "shell=explorer.exe (System directory)\vxdmgr32.exe").

Dumaru then retrieves email addresses from files on the system with the following extensions: .htm, .wab, .html, .dbx, .tbb and .abd, then uses its own SMTP engine to mail itself.

The worm contains a viral component that infects Portable Executable files on the root directory (the "top" of drive C:, not inside any folders). It intends to infect all executables, but a bug in its code restricts it to the root directory.

Dumaru takes advantage of hair-trigger alert notifications in many antivirus and filtering products. Rather than recognizing the infected email as a mass-mailing worm and simply discarding it, many popular security solutions send notifications to the sender, recipient, and/or system administrator. Dumaru falsifies the header information contained in the email, directing the Return-Path to admin@duma.gov.ru, launching a DoS attack on the mail servers of the Russian legislature.

VariantsEdit

Dumaru.J entices users to open the attachment with promises of a photo of the sender. The file is actually an exe file, though the .exe is hidden with a large number of spaces to make it look like a .jpg extension.

Some variants contained a Keylogger, Srv.SSA-KeyLogger, that ran in Internet Explorer. It detects window titles including "bank," "casino," "eBay," "login," and "PayPal", then collects usernames and passwords. The keylogger also blocks access to certain antivirus and security websites.

NameEdit

Dumaru likely gets its name from the fact that it launches an attack on the mail servers of the Russian Duma, admin@duma.gov.ru. While duma.gov.ru is the domain name of the Duma, the "gov" was omitted, probably because "Duma" and "ru" stand out more than "gov", which is used for government domains around the world.

Other FactsEdit

Coincidentally, Dumaru shares its name with that of an ill-fated ship. Shortly before the end of World War I, a bolt of lightning hit the munitions cargo ship Dumaru off the coast of Guam, causing its cargo to explode. While most of the crew made it safely to the Philippines on their lifeboats, one lifeboat was overcrowded, causing supplies to run out very quickly. Some of the crew died of dehydration, while others went mad and committed suicide. As they became really desperate, some of the crew ate the bodies of dead crew members.

SourcesEdit

Green Apple News 2003.09.16

Kara Hull. "U. Attempting to Block Dumaru Virus", Bowling Green State University News. 2003.08.28

Graeme Wearden. "Dumaru Worm Comes Sniffing Again", ZDNet News 2004.01.26

Mary Landesman. Antivirus, About.com "Dumaru Pretends to Patch". 2003.08.25

Yana Liu. Symantec.com "W32.Dumaru@mm"

Ronald C. Bautista. Trend Micro, "PE_DUMARU.A Technical Details"

Symantec Security Response. W32.Dumaru@mm

Thomas Claburn. InformationWeek,http://www.informationweek.com/showArticle.jhtml;jsessionid=AD500HIONYZXSQSNDLPCKH0CJUNN2JVN?articleID=168600805&queryText=dumaru Identity-Theft Keylogger Identified.] 2005.08.11

Dumaru (ship)

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.