Win32.Hack.Dumador.cx

Virus name (in Chinese):

Virus alias:

Threat Level: ★☆☆☆☆

Virus type: Hacker program

Virus Length: 27040

Impact System: WIN9X\WINME\WINNT\WIN2000\WINXP\WIN2003

Virus behavior:

This is a backdoor virus. Virus running, will monitor clipboard, keyboard, search FTP tool software configuration file, get user IP, password and other information. and uses the own SMTP engine to send the recorded information to the designated mailbox.

1. The virus establishes a global atomic body called "Stamm-804" to ensure that only one virus body is running.

2. Release the dynamic link file size 4096 bytes Winsms.dll into the%windir% directory and invoke the function hiding process.

3. Copy yourself to the%system% directory, name it Winldra.exe, and modify the registry to establish a startup entry for the purpose of booting up:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Load32" = "%system%\winldra.exe"

4. The virus body also adds the following registry key to record the various operations of the virus:

[Hkcu\software\sars]

5. Generate Netdx.dat files in the%windir% directory to store the encrypted character set;

6. Modify the Hosts file, shielding the famous safe site, including:

127.0.0.1www.trendmicro.com

127.0.0.1trendmicro.com

127.0.0.1rads.mcafee.com

127.0.0.1customer.symantec.com

Wait

7. Create a thread, monitor the contents of the Clipboard, and record the contents of the Clipboard in the%windir%\prntc.log file.

8. Create a thread, monitor the keyboard, and if the current window caption contains the following sensitive text, the keyboard type is recorded in the%windir%\\prntk.log file:

"Bank"

"PayPal"

"ebay"

"Casino"

Wait

9. Search FTP tool software (such as totalcmd) configuration file, get user IP, password and other information, and stored in%temp%\fe*.htm file.

10. Use your own SMTP engine to send recorded information to a designated mailbox.

11. Listen for the TCP9125 port and wait for the remote control command.