Backdoor.Dumador.af

  • Thread starter Thread starter Emmanouil Pajatakis
  • Start date Start date
E

Emmanouil Pajatakis

Hi

My Windows 98 PC is infected with Backdoor.Dumador.af. I got a warning
from F-secure anti-virus scanner. F-secure is, however, not able to
remove the worm. I followed many hints from the web about removing
entries from the system.ini file and the registry but every time a
reboot the same situation is there. In particular the file netb.exe is
always in the startup group.

Does anybody have a hint what I could do?

Thanks

Emmanouil Pajatakis
 
Hi

My Windows 98 PC is infected with Backdoor.Dumador.af.
Click to expand...

KAV (and thus F-Secure) just added detection of the .af variant
yesterday, the 13th. So exact descriptions are unavailable.
I got a warning
from F-secure anti-virus scanner. F-secure is, however, not able to
remove the worm. I followed many hints from the web about removing
entries from the system.ini file and the registry but every time a
reboot the same situation is there. In particular the file netb.exe is
always in the startup group.
Click to expand...

A legit file by that name exists. Does F-Secure alert on that file?
Does anybody have a hint what I could do?
Click to expand...

Just some registry entry possibilities you may have overlooked:

HKLM\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon

and this key may be created by the backdoor:

HKLM\Sofware\SARS

I'm just getting clues from older variant and alias name descriptions,
as apparently you have done. If you use Project VGREP, you can find
alias names used by other av vendors:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=backdoor.dumador&product=0

You can search for all files dated after a certain date. You can also
use the Find feature of regedit to track down keys where known
infested files are listed.


Art
http://www.epix.net/~artnpeg
 
KAV (and thus F-Secure) just added detection of the .af variant
yesterday, the 13th. So exact descriptions are unavailable.


A legit file by that name exists. Does F-Secure alert on that file?
Click to expand...

F-secure alerts only on prntsvr.dll dropped by the trojan. No alerts
are issued on other files and in particular netdb.exe and netda.exe.
Also Trojan Hunter does not alert on the process netda.exe. Trojan
hunter found only the registry entry
HLM>Software>Microsoft>Windows>CurrentVersion>Run>load 32
Just some registry entry possibilities you may have overlooked:

HKLM\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon

and this key may be created by the backdoor:

HKLM\Sofware\SARS

I'm just getting clues from older variant and alias name descriptions,
as apparently you have done. If you use Project VGREP, you can find
alias names used by other av vendors:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=backdoor.dumador&product=0

You can search for all files dated after a certain date. You can also
use the Find feature of regedit to track down keys where known
infested files are listed.


Art
http://www.epix.net/~artnpeg
Click to expand...

I finally managed to remove the trojan following instructions on the
Trend Micro site about worm Dumaru.ai
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_DUMARU.AI
My error was that in didn´t kill the process netda.exe before
deleteing the files and registry entries. Apparantly this process was
able to restore deleted entries.

Thanks for the assistance
 
F-secure alerts only on prntsvr.dll dropped by the trojan. No alerts
are issued on other files and in particular netdb.exe and netda.exe.
Also Trojan Hunter does not alert on the process netda.exe. Trojan
hunter found only the registry entry
HLM>Software>Microsoft>Windows>CurrentVersion>Run>load 32

I finally managed to remove the trojan following instructions on the
Trend Micro site about worm Dumaru.ai
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_DUMARU.AI
My error was that in didn´t kill the process netda.exe before
deleteing the files and registry entries. Apparantly this process was
able to restore deleted entries.

Thanks for the assistance
Click to expand...

You're welcome. I wonder if this was a case of over-dependence on
realtime av scanner "protection"? Perhaps you took a hit before
F-Secure had added detection?

My main interest is prevention, as you can see by my web site. Since
you seem to be "smarter than the average bear", I'm curious as to what
you're doing wrong. Do you know how you managed to take the hit?


Art
http://www.epix.net/~artnpeg
 
You're welcome. I wonder if this was a case of over-dependence on
realtime av scanner "protection"? Perhaps you took a hit before
F-Secure had added detection?

My main interest is prevention, as you can see by my web site. Since
you seem to be "smarter than the average bear", I'm curious as to what
you're doing wrong. Do you know how you managed to take the hit?


Art
http://www.epix.net/~artnpeg
Click to expand...

After I deleted all files and registry entries according to advice
relating to
Dumaru.ai, I scanned my whole disk with F-secure. It discovered the
file TrojanDownloader.VBS.Psyme.x in the IE temporary files. I had a
look at various AV sites and figured out that this exploits a
vulnerability of IE. Still strange because my IE6 has had all critical
updates issued by Microsoft. Further I do not use Oulook for my
emails. Does it look like I hit a bad site which exploited an IE
vulnerability?
 
After I deleted all files and registry entries according to advice
relating to
Dumaru.ai, I scanned my whole disk with F-secure. It discovered the
file TrojanDownloader.VBS.Psyme.x in the IE temporary files. I had a
look at various AV sites and figured out that this exploits a
vulnerability of IE. Still strange because my IE6 has had all critical
updates issued by Microsoft. Further I do not use Oulook for my
emails. Does it look like I hit a bad site which exploited an IE
vulnerability?
Click to expand...

If you mean finding the Psyme downloader in your IE cache but not
finding that it has been run, then no.

You'd be far better off using one of the Moz based browsers or Opera,
for one thing. Good that you're at least not using OE. But what about
the other items that I've outlined at my web site? Patching '98.
Closing all internet ports. The thing is that there's no reason you or
anyone should be taking any hits at all.


Art
http://www.epix.net/~artnpeg
 
Back
Top