PDA

View Full Version : Trojan.Dumaru detected by scanners, but not by S&D!


Dumaru revulsion
2006-12-19, 22:33
I have kept the definitions up-to-date, and this seems to be an old virus.
Yesterday boot scanning found:
Trojan.Dumaru [Spyware Doctor]
Backdoor.Nibu [Symantec]
Troj/Dumaru [Sophos]
Backdoor.Dumador [Kaspersky]
Threat Level: High
Author: Smash and SARS
Advice: Toss
Spybot S&D: Full system scan found only 3 local_machine\software\microsoft\Security Center Firewall & Antivirus\ setting changes.
All product ignores are off.
How can I get S&D to find & toss this well known old trojan?:eek:
tashi
2006-12-20, 15:24
Hello.

If Spybot-S&D does not detect an item please send the zipped file to: detections(AT)spybot.info (Replace AT with @) :)
Dumaru revulsion
2006-12-20, 19:01
Thank you for responding so quickly.
. Can you please clarify "an item please send the zipped file"
. According to Spyware Doctor & Symantec descriptions of it, there appear to be dozens of 'things' that Trojan.Dumaru makes and does: registry entries, file modifications, emails, etc. Can you be more specific about 'the item'?
. Also, I receive 'zip'ped files all the time from Microsoft Update, and I know how to get winXPh to 'compress' a folder & it's contents (?same as Zipped?), but I'm still not sure what you want me to provide, and I'm not sure if I can actually attach a compressed folder of files to an email.
D.R.
PS: Despite being logged in (it shows "Logged in as Dumaru revulsion" up to the right of this entry panel), when I click [Preview Post] below, it says "You are not logged in or you do not have permission to access this page.", and I'm afraid the site will discard my reply.
PPS: re-logged in -> re-edit for this line ok
md usa spybot fan
2006-12-20, 19:36

. Can you please clarify "an item please send the zipped file"
. According to Spyware Doctor & Symantec descriptions of it, there appear to be dozens of 'things' that Trojan.Dumaru makes and does: registry entries, file modifications, emails, etc. Can you be more specific about 'the item'?

It would probably be helpful if you listed the actual objects that were identified by the various scans (registry entries, file modifications, emails, etc.) so that someone can make an informed decision as to what may be required to add this detection to Spybot-S&D.
Dumaru revulsion
2006-12-21, 17:10
. I'm not certain what you mean by 'objects', but the following are why I think my system is infected, and there are a lot of sites describing system files & values either used or manipulated by Trojan.Dumaru.
. I hope this isn't just junk for you to dig thru.
Content:
. antivirus.about.com: Dumaru
. Norton: Dumaru => W32.Dumaru@mm
. Spyware Doctor: Dumaru, CaiShow
. Spy Sweeper : Venusseek
I noticed that one Dx scan identified it more specifically (accurately??) as "W32/Dumaru-E", another I can't reproduce as "Dumaru-B". (see http://www.sophos.com/virusinfo/analyses/w32dumarue.html)
I don't remember seeing, but was also warned of the following by
. _____________________________ . antivirus.about.com
Antivirus Software: Dumaru Worm Pretends to Patch
Aug 25 2003
Mass-mailer with backdoor component
The Dumaru worm arrives in an email pretending to be a security patch from Microsoft. In reality, it is a mass-mailing email worm that installs a backdoor component onto infected systems.
The Dumaru worm's email arrives as follows:
From: Microsoft
Subject: Use this patch immediately !
Body of the email:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: patch.exe
The Dumaru takes advantage of hair-trigger alert notifications in many antivirus and filtering products. Rather than recognizing the infected email as a mass-mailing worm and simply discarding it, many popular security solutions send notifications to the sender, recipient, and/or system administrator. Dumaru falsifies the header information contained in the email, directing the Return-Path as follows:
Return-Path: <admin@duma.gov.ru>
. _____________________________ . Spyware Doctor
Infection Risk Location
Trojan.Dumaru High C:\PROGRAM FILES\Common Files\Real\WeatherBug\MiniBugTransporter.dll
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Control
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Control##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32##ThreadingModel
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus\1
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus\1##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ProgID
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ProgID##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Programmable
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Programmable##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ToolboxBitmap32
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ToolboxBitmap32##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\TypeLib
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\TypeLib##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Version
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Version##
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\VersionIndependentProgID
Trojan.Dumaru High HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\VersionIndependentProgID##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Control
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Control##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32##ThreadingModel
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus\1
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus\1##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ProgID
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ProgID##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Programmable
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Programmable##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ToolboxBitmap32
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ToolboxBitmap32##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\TypeLib
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\TypeLib##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Version
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Version##
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\VersionIndependentProgID
Trojan.Dumaru High HKLM\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\VersionIndependentProgID##
Instrs:
Name W32/Dumaru-E
Type · Worm
Protection available since 29 September 2003 02:29:46 (GMT)
Detected by All versions of Sophos Anti-Virus
Included in our products from November 2003 (3.75)
. ____________________________________ . ; These were also not found by Spybot:
"Sweep with Spy Sweeper" to Windows Explorer
Name Venusseek (eros) Unique Code NYT32 Type Adware Severity Very High
Description : Venusseek (eros) is an adware program that may display advertisements on your system.
Characteristics: Venusseek (eros) may display advertisements on your computer.
Method of Infection: Venusseek (eros) generally propagates itself using dialog boxes, various social engineering methods, or through scripting errors. Usually adware and BHOs are bundled with various free software programs.
Consequences: This program can display advertisements. It may also cause slowing of your Web browser and system performance issues.
. ____________________________________ .
Caishow Elev HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}
Caishow Elev HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}##
Caishow Elev HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32
Caishow Elev HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32##
Caishow Elev HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32##ThreadingModel
Caishow Elev HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}
Caishow Elev HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}##
Caishow Elev HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32
Caishow Elev HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32##
Caishow Elev HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32##ThreadingModel
. ____________________________________ .