I Feel Lucky I Feel Very Lucky

Dumador (e)

Copyright © MegaSecurity

By ?

Informations
Author ?
Family Dumador
Category Remote Access
Version Dumador (e)
Additional Information 
This backdoor is dropped by the Dumaru worm.
The Dumaru worm arrives in an email pretending to be a security patch from Microsoft
with return-path:
In reality, it is a mass-mailing email worm that installs a backdoor component onto infected systems. 
Backdoor.Win32.Dumador.e:

port: 10000, 1001, 2283 TCP

dropped files:
c:\WINDOWS\dllreg.exe                               size 36.866 bytes 
c:\WINDOWS\guid32.dll                               size 4.096 bytes 
c:\WINDOWS\vxdload.log                              size 134 bytes 
c:\WINDOWS\windrive.exe                             size 8.192 bytes 
c:\WINDOWS\Start Menu\Programs\Startup\rundllw.exe  size 36.866 bytes 
c:\WINDOWS\SYSTEM\load32.exe                        size 36.866 bytes 
c:\WINDOWS\SYSTEM\vxdmgr32.exe                      size 36.866 bytes 

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "load32" 
c:\windows\system.ini, [boot] "shell" 
c:\windows\win.ini, [windows] "run" 
c:\WINDOWS\Start Menu\Programs\Startup

registry added:
HKEY_LOCAL_MACHINE\Software\SARS "kwmfound"

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.