Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » Dumador.IK

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Keylogger
Detection files published 10 Aug 2005 03:00:00
Description created 11 Aug 2005 06:23:00
Description updated 11 Aug 2005 06:23:00
Malware type KEYLOGGER
Alias Dumador.DG
Win32.Bambo
W32/Dumador.AG@bd
W32/Dumador.J-bdr
BKDR_DUMADOR.AX
Backdoor.Nibu
Spreading mechanism OTHER
Summary None

Dumador.IK

Spreading

When run, Dumador.IK copies itself to the following location:
%WINDIR%\SYSTEM\winldra.exe
The backdoor also drops the following files during execution:
%WINDIR%\netdx.dat%WINDIR%\dvpd.dll%WINDIR%\TEMP\fe43e701.htm
Dumador.IK then creates a new registry entry, to ensure it gets started with Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = C:\WINDOWS\SYSTEM\winldra.exe
The worm may also modify these registry keys/values, during the course of execution:
HKCU\Software\SARS
HKLM\System\CurrentControlSet\Services\SharedAccess\Start
HKCU\Software\Microsoft\Internet Explorer\Main\SocksPort
HKCU\Software\Microsoft\Internet Explorer\Main\AllowWindowReuse

Payload Details

Dumador.IK will attempt to send keystrokes, and other sensitive information back to the virus author. This backdoor will specifically target the Windows clipboard, and the protected storage area of the registry, which contains auto-complete data for IE. Also, Dumador.IK attempts to steal information from browser Windows with the following strings in their title:
goldStorme-metalMoneymoneyWM KeeperKeeperFethardfethardbullBullmullPayPalBankbankcashanzANZshopShopebayinvestcasinobookmakpaymemberfundInvestCasinoBookmakPayMemberFundbetBetbillBillloginLogineqw
The backdoor also attempts to prevent access to certain AV vendors sites, by appending the following entries to the \drivers\etc\hosts file:
www.trendmicro.comtrendmicro.comrads.mcafee.comcustomer.symantec.comliveupdate.symantec.comus.mcafee.comupdates.symantec.comupdate.symantec.comwww.nai.comnai.comsecure.nai.comdispatch.mcafee.comdownload.mcafee.comwww.my-etrust.commy-etrust.commast.mcafee.comca.comwww.ca.comnetworkassociates.comwww.networkassociates.comavp.comwww.kaspersky.comwww.avp.comkaspersky.comwww.f-secure.comf-secure.comviruslist.comwww.viruslist.comliveupdate.symantecliveupdate.commcafee.comwww.mcafee.comsophos.comwww.sophos.comsymantec.comsecurityresponse.symantec.comus.mcafee.com/root/www.symantec.com
Dumador.IK contains multiple backdoors, which listen on ports 9125 and 64972.

Analysis

n/a

Removal

Dumador.IK is detected and removed with definition files later than 11-August-2005. Write-up by Tom Bonner.


Last Updated: 12 Nov 2015 11:06:15