Beware of emails with the following information

[Guest guest]

Sender: " Microsoft " <security@...>

Recipient: <s.rainbolt@...>

Subject: Use this patch immediately !

I just got this and my Norton’s found it infected with:

W32.Dumaru@mm

Discovered on: August 16, 2003

Last Updated on: December 15,

2003 02:26:29 PM

W32.Dumaru@mm

is a mass-mailing worm that drops an IRC Trojan onto an infected machine.

The worm gathers email addresses from certain file types and uses its own

SMTP engine to email itself.

The

email has the following characteristics:

From: " Microsoft "

<security@...>

Subject: Use this patch

immediately !

Message:

Dear friend , use this Internet Explorer patch now!

There are dangerous virus in the Internet now!

More than 500.000 already infected!

Attachment: patch.exe

The worm will also infect the exe files on NTFS partitions.

This threat is compressed with UPX.

Symantec Security Response has created a tool

to remove W32.Dumarumm (DOT)

Also

Known As:

PE_DUMARU.A [Trend], Win32.Dumaru [Computer

Associates], W32/Dumaru@MM [McAfee], W32/Dumaru-A [sophos], I-Worm.Dumaru

[Kaspersky]

Type:

Worm

Infection

Length:

9,216 bytes

Systems

Affected:

Windows 2000, Windows 95, Windows 98, Windows Me,

Windows NT, Windows XP

Systems

Not Affected:

Linux, Macintosh, OS/2, UNIX

· Virus

Definitions (Intelligent Updater) *

August 18, 2003

· Virus

Definitions (LiveUpdate™) **

August 18, 2003

*

Intelligent Updater definitions are released

daily, but require manual download and installation.

Click here

to download manually.

**

LiveUpdate virus definitions are usually

released every Wednesday.

Click here

for instructions on using LiveUpdate.

Wild:

Number

of infections: More than 1000

Number

of sites: More than 10

Geographical

distribution: Low

Threat

containment: Easy

Removal:

Moderate

Threat

Metrics

Wild:

Medium

Damage:

Medium

Distribution:

High

Damage

Payload:

Drops an IRC Trojan into the infected machine.

Large

scale e-mailing: Sends itself to all the email addresses it finds

in the .htm, .wab, .html, .dbx, .tbb, .abd files.

Modifies

files: win.ini, system.ini

Distribution

Subject

of email: Use this patch immediately !

Name

of attachment: patch.exe

Size

of attachment: 9,216 bytes

Target

of infection: The exe files in the root directory of all the

drives.

When W32.Dumaru@mm is executed, it does the following:

Copies itself as the

following:

%Windir%\dllreg.exe

%System%\load32.exe

%System%\vxdmgr32.exe

NOTES:

%Windir% is a variable.

The worm locates the Windows installation folder (by default, this is

C:\Windows or C:\Winnt) and copies itself to that location.

%System% is a variable.

The worm locates the System folder and copies itself to that

location. By default, this is C:\Windows\System (Windows 95/98/Me),

C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows

XP).

Creates %Windir%\windrv.exe

(8,192 bytes), which is an IRC Trojan. When run, it connects to a

predefined IRC server and joins a specific channel to listen for

commands from the worm's creator.

Creates

%Windir%\winload.log, which is a log file. The worm uses this file to

store the stolen email addresses.

NOTE: This file is not

viral by itself, and therefore, Symantec antivirus products do not

detect this file. Manually delete it if your system is infected with

this worm.

Adds the value:

" load32 " =

" %Windir%\load32.exe "

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

Adds the value (Windows

NT/2000/XP only):

" Run " =

" C:\%Windir%\dllreg.exe "

to the registry key:

HKEY_Current_User\Software\Microsoft\WindowsNT\CurrentVersion\

Windows

Adds one of the values

(Windows NT/2000/XP only):

" Shell " =

" C:\%Windir%\dllreg.exe "

" Shell " =

" C:\%System%\load32.exe "

" Shell " =

" C:\%System%\Vxdmgr32.exe "

to the registry key:

HKEY_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion\

Winlogon

Modifies the windows

section of the win.ini file (Windows 95/98/Me only):

[windows]

run=%Windir%\dllreg.exe

Modifies the boot section

of system.ini file (Windows 95/98/Me only):

[boot]

shell=explorer.exe %System%\vxdmgr32.exe

Retrieves email addresses

from the files with the following extensions:

..htm

..wab

..html

..dbx

..tbb

..abd

Uses its own SMTP engine to

email itself.

The email has the following characteristics:

From:

" Microsoft " <security@...>

Subject: Use this patch

immediately !

Message:

Dear friend , use this Internet Explorer patch now!

There are dangerous virus in the Internet now!

More than 500.000 already infected!

Attachment: patch.exe

Infects the exe files on

NTFS partitions in the following way:

Copies the original file to the stream, <original filename>:STR.

Overwrites the original filename with the worm.

NOTE: Explorer will be

unable to display the original file, as it is contained within a

stream.

The worm attempts to infect

all the exe files on drives C-Z; however, due to bugs in the code, it

will only infect files in the root directory of all drives C-Z.

Symantec Gateway Security

On August 18, 2003, Symantec released an update for Symantec Gateway

Security 1.0.

Symantec Host IDS

On August 19, 2003, Symantec released an update for Symantec Host IDS 4.1.

Intruder Alert

On August 19, 2003, Symantec released Intruder

Alert 3.6 W32_Dumaru_Worm Policy.

Symantec ManHunt

Security

Update 7 has been released to provide signatures that are specific to

W32.Dumarumm (DOT)

Symantec Client Security

On August 20, 2003, Symantec released IDS signatures via LiveUpdate to

detect W32.Dumaru@mm activity.

Norton Internet Security / Norton

Internet Security Professional

On August 20, 2003, Symantec released IDS signatures via LiveUpdate to

detect W32.Dumaru@mm activity.

Symantec

Security Response encourages all users and administrators to adhere to the

following basic security " best practices " :

Turn off and remove

unneeded services. By default, many operating systems install

auxiliary services that are not critical, such as an FTP server,

telnet, and a Web server. These services are avenues of attack. If

they are removed, blended threats have less avenues of attack and you

have fewer services to maintain through patch updates.

If a blended

threat exploits one or more network services, disable, or block

access to, those services until a patch is applied.

Always keep your patch

levels up-to-date, especially on computers that host public services

and are accessible through the firewall, such as HTTP, FTP, mail, and

DNS services.

Enforce a password policy.

Complex passwords make it difficult to crack password files on

compromised computers. This helps to prevent or limit damage when a

computer is compromised.

Configure your email server

to block or remove email that contains file attachments that are

commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and

..scr files.

Isolate infected computers

quickly to prevent further compromising your organization. Perform a

forensic analysis and restore the computers using trusted media.

Train employees not to open

attachments unless they are expecting them. Also, do not execute

software that is downloaded from the Internet unless it has been

scanned for viruses. Simply visiting a compromised Web site can cause

infection if certain browser vulnerabilities are not patched.

Removal using the W32.Dumaru@mm Removal

Tool

Symantec Security Response has developed a removal

tool to clean the infections of W32.Dumarumm (DOT) This is the easiest way

to remove this threat and should be tried first. To obtain the

W32.Dumaru@mm removal tool, read the document, " W32.Dumaru

Removal Tool. "

Manual Removal

As an alternative to using the removal tool, you can manually remove this

threat. The following instructions pertain to all current and recent

Symantec antivirus products, including the Symantec AntiVirus and Norton

AntiVirus product lines.

Disable System Restore

(Windows Me/XP).

Update the virus

definitions.

Run a full system scan and

delete all the files detected as W32.Dumaru@mm or IRC Trojan. Restore

all the exe files in the root directory of all drives C-Z from Backup

copies.

Delete the value that was

added to the registry.

Remove the lines that the

worm added to the Win.ini or System.ini files (Windows 95/98/Me).

For specific details on each of these steps, read the

following instructions.

1. Disabling System Restore (Windows

Me/XP)

If you are running Windows Me or Windows XP, we recommend that you

temporarily turn off System Restore. Windows Me/XP uses this feature, which

is enabled by default, to restore the files on your computer in case they

become damaged. If a virus, worm, or Trojan infects a computer, System

Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from

modifying System Restore. Therefore, antivirus programs or tools cannot

remove threats in the System Restore folder. As a result, System Restore

has the potential of restoring an infected file on your computer, even

after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even

though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows

documentation, or one of the following articles:

" How

to disable or enable Windows Me System Restore "

" How

to turn off or turn on Windows XP System Restore "

For additional information, and an alternative to disabling Windows Me

System Restore, see the Microsoft Knowledge Base article, " Antivirus

Tools Cannot Clean Infected Files in the _Restore Folder, " Article ID: Q263455.

2. Updating the virus definitions

Symantec Security Response fully tests all the virus definitions for

quality assurance before they are posted to our servers. There are two ways

to obtain the most recent virus definitions:

Running LiveUpdate, which

is the easiest way to obtain virus definitions: These virus

definitions are posted to the LiveUpdate servers once each week

(usually on Wednesdays), unless there is a major virus outbreak. To determine

whether definitions for this threat are available by LiveUpdate, refer

to the Virus

Definitions (LiveUpdate).

Downloading the definitions

using the Intelligent Updater: The Intelligent Updater virus

definitions are posted on U.S. business days (Monday

through Friday). You should download the definitions from the Symantec

Security Response Web site and manually install them. To determine

whether definitions for this threat are available by the Intelligent

Updater, refer to the Virus

Definitions (Intelligent Updater).

The Intelligent

Updater virus definitions are available:

Read " How

to update virus definition files using the Intelligent Updater "

for detailed instructions.

3. Scanning for and deleting the infected

files

Start your Symantec

antivirus program and make sure that it is configured to scan all the

files.

For Norton AntiVirus consumer products:

Read the document, " How

to configure Norton AntiVirus to scan all files. "

For Symantec AntiVirus Enterprise products:

Read the document, " How

to verify that a Symantec Corporate antivirus product is set to scan

all files. "

Run a full system scan.

If any files are detected

as infected with W32.Dumaru@mm or IRC Trojan, click Delete.

For all exe files in the

root directory of all drives that are deleted, restore these files

from backup copies.

4. Deleting the value from the registry

CAUTION: Symantec strongly

recommends that you back up the registry before making any changes to it.

Incorrect changes to the registry can result in permanent data loss or

corrupted files. Modify the specified keys only. Read the document, " How

to make a backup of the Windows registry, " for instructions.

Click Start, and then click

Run. (The Run dialog box appears.)

Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete

the value:

" load32 " = " %Windir%\load32.exe "

Exit the Registry Editor.

5. Removing the lines added to the

Win.ini or System.ini files (Windows 95/98/Me only)

If you are running Windows 95/98/Me, follow these steps:

The function you perform depends on your operating system:

Windows

95/98:

Click Start, and then

click Run.

Type the following, and

then click OK.

edit c:\windows\win.ini

(The MS-DOS Editor opens.)

NOTE: If Windows is

installed in a different location, make the appropriate path

substitution.

In the [windows]

section of the file, look for a line similar to:

run=%Windir%\dllreg.exe

If this line exists,

delete everything to the right of run=

When you are done, it should look like: run=

Click File, and then

click Save.

Click File, and then

click Exit.

Click Start, and then

click Run.

Type the following, and

then click OK.

edit c:\windows\system.ini

(The MS-DOS Editor opens.)

NOTE: If Windows is

installed in a different location, make the appropriate path

substitution.

In the [boot]

section of the file, look for a line similar to:

shell = explorer.exe

%Windir%\vxdmgr32.exe

If this line exists,

delete everything to the right of explorer.exe.

When you are done, it should look like:

shell = explorer.exe

Click File, and then

click Save.

Click File, and then

click Exit.

Windows

Me: If you are running Windows Me, the

Windows Me file-protection process may have made a backup copy of the

Win.ini or system.ini files that you need to edit. If the backup

copies exist, they will be in the C:\Windows\Recent folder. Symantec

recommends that you delete the backup files before continuing with

the steps in this section. To do this:

Start Windows Explorer.

Browse to and select the

C:\Windows\Recent folder.

In the right pane, select

the Win.ini file and delete it. The Win.ini file will be regenerated

when you restart your computer.

In the right pane, select

the System.ini file and delete it. The System.ini file will be

regenerated when you restart your computer.

Revision History:

December 15, 2003:

Downgraded to a Category 2 based on a decreased rate of submissions.

August 20, 2003:

Added information about

SCS IDS signature availability.

Added information about

NIS/NIS Pro IDS signature availability.

Added alias information.

Added reference to file

infection routine.

August 19, 2003: Added

information about Symantec ManHunt and Symantec Intruder Alert

updates.

Write-up

by: Yana Liu

Rainbolt