|Type||Mass mailer worm|
|Place of Origin||Russia|
|Infection Length||9,276 bytes|
|Reported Costs||$3.8 billion|
Dumaru is a mass mailer worm that installs a remote control and keylogger trojan. This worm attacks the mail servers of the Duma, the Russian Parliament. It is believed by some to have caused billions in damage. It appeared half a month after Mimail, another very destructive Russian-made worm.
The worm arrives in an email encouraging users to open an attachment. The sender line will say "Microsoft" with the email address firstname.lastname@example.org. The subject line says "Use this patch immediately !". The message body says "Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!" The attachment is named patch.exe and is 9,216 bytes long.
When executed, the worm copies itself as dllreg.exe into the Windows folder, load32.exe and vxdmgr32.exe to the Windows system folder. The worm drops a windrv.exe into the Windows folder, which is the trojan, Narod.A, that is both a keylogger and a remote controller. When run, it connects to an IRC server and joins a channel to listen for commands from the worm's creator. It then creates the file winload.log, which stores email addresses.
Dumaru adds the value "load32 = (Windows Directory)\load32.exe" the local machine registry key that causes the worm to run whenever the system starts. In Windows NT/2000/XP only, it adds the value "Run = C:\WINNT\dllreg.exe" to the current user registry key and the worm's choice of "Shell = C:\(Windows Directory)\dllreg.exe", "Shell = C:\(System directory)\load32.exe" or "Shell = C:\(System directory)\Vxdmgr32.exe" to the local machine registry key dealing with log-ons. In Windows 95/98/ME only, it modifies the windows section of the win.ini file (adds "run=(Windows directory\dllreg.exe") and the boot section of the system.ini file (adds "shell=explorer.exe (System directory)\vxdmgr32.exe").
Dumaru then retrieves email addresses from files on the system with the following extensions: .htm, .wab, .html, .dbx, .tbb and .abd, then uses its own SMTP engine to mail itself.
The worm contains a viral component that infects Portable Executable files on the root directory (the "top" of drive C:, not inside any folders). It intends to infect all executables, but a bug in its code restricts it to the root directory.
Dumaru takes advantage of hair-trigger alert notifications in many antivirus and filtering products. Rather than recognizing the infected email as a mass-mailing worm and simply discarding it, many popular security solutions send notifications to the sender, recipient, and/or system administrator. Dumaru falsifies the header information contained in the email, directing the Return-Path to email@example.com, launching a DoS attack on the mail servers of the Russian legislature.
Dumaru had enough variants to go through the alphabet once. Some variants have icons that make them appear as a .jpg file.
Dumaru.J entices users to open the attachment with promises of a photo of the sender. The file is actually an exe file, though the .exe is hidden with a large number of spaces to make it look like a .jpg extension.
Some variants contained a Keylogger, Srv.SSA-KeyLogger, that ran in Internet Explorer. It detects window titles including "bank," "casino," "eBay," "login," and "PayPal", then collects usernames and passwords. The keylogger also blocks access to certain antivirus and security websites.
Dumaru likely gets its name from the fact that it launches an attack on the mail servers of the Russian Duma, firstname.lastname@example.org. While duma.gov.ru is the domain name of the Duma, the "gov" was omitted, probably because "Duma" and "ru" stand out more than "gov", which is used for government domains around the world.
Coincidentally, Dumaru shares its name with that of an ill-fated ship. Shortly before the end of World War I, a bolt of lightning hit the munitions cargo ship Dumaru off the coast of Guam, causing its cargo to explode. While most of the crew made it safely to the Philippines on their lifeboats, one lifeboat was overcrowded, causing supplies to run out very quickly. Some of the crew died of dehydration, while others went mad and committed suicide. As they became really desperate, some of the crew ate the bodies of dead crew members.
Green Apple News 2003.09.16
Kara Hull. "U. Attempting to Block Dumaru Virus", Bowling Green State University News. 2003.08.28
Graeme Wearden. "Dumaru Worm Comes Sniffing Again", ZDNet News 2004.01.26
Mary Landesman. Antivirus, About.com "Dumaru Pretends to Patch". 2003.08.25
Yana Liu. Symantec.com "W32.Dumaru@mm"
Ronald C. Bautista. Trend Micro, "PE_DUMARU.A Technical Details"
Thomas Claburn. InformationWeek, Identity-Theft Keylogger Identified. 2005.08.11