The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

 

We Build the Best & Repair the Rest! ©

 

Alerts October 2003

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 

 
April 2003 Alerts 2002 Alert Jan 2003 Alert February 2003 Alerts March 2003 Alerts April 2003 Alerts May 2003 Alerts June 2003 Alerts July 2003 Alerts August 2003 Alerts September 2003 Alerts October 2003 Alerts November 2003 Alerts December 2003

 

 

 

 

Top 10 malware reported to Sophos in October 2003

Position Last
month		 Malware Percentage of reports
1 1 W32/Gibe-F
   22.7%
2 2 W32/Dumaru-A
   13.6%
3 3 W32/Mimail-A
   12.4%
4 4 W32/Sobig-F
   9.0%
5 8 W32/Klez-H
   4.4%
6 5 W32/Nachi-A
   4.3%
7 8 W32/Blaster-A
   2.4%
8 New Troj/CoreFloo-C
   2.1%
9 7 W32/Bugbear-B
   1.6%
10 Re-entry W32/Rox-A
   1.0%
Others 26.5%

 

This section is for technical experts who want to know more.

W32/Dumaru-A is a virus that spreads using email and infects other executable using NTFS Alternate Data Stream.

The virus arrives in an email message with the following characteristics:

Sender: "Microsoft" <security@microsoft.com>

Subject line: Use this patch immediately !

Message text: Dear friend, use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Attached file: patch.exe

When the attachment is run W32/Dumaru-A copies itself into the Windows folder as dllreg.exe and into the Windows system folder as load32.exe and vxdmgr32.exe.

W32/Dumaru-A drops and runs <Windows>\windrv.exe. Windrv.exe is a backdoor Trojan detected by Sophos Anti-Virus as Troj/Narod-B.

The virus creates the registry value load32 of the registry key

\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the virus file <Windows system>\load32.exe is run on Windows startup.

W32/Dumaru-A also changes system files system.ini and win.ini. The shell entry of the boot section in System.ini is changed so that it contains the reference to the virus file vxdmgr32 in the Windows systrem folder.

The virus creates a run entry in the windows section of win.ini to reference the virus file dllreg.exe in the Windows folder.

W32/Dumaru-A has its own SMTP engine and attempts to collect email addresses by searching the content of files with the extensions WAB, HTM, HTML, DBX, ABD and TBB.

On systems with NTFS the virus attempts to infect all PE executable files by replacing the original file with a copy of itself and saving the original file in an alternate data stream STR.

Note: This IDE file also contains detection for Troj/Narod-B

 

 
This web is optimized for 800 x 600 monitor resolution or above and the latest web browser.  Get the latest IE or Netscape web browser. (you need to connect to the internet first)

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next