34,308 bytes (B@mm), 34,305 (C@mm)
(W32.Dumaru.B/C | W32/Dumaru.b/c@MM | W32/Dumaru-B)
Presence of the next files in %WINDOWS% folder:
Presence of the next files in %SYSTEM% folder:
Presence of the next files in Startup folder:
Presence of the next registry keys or entries:
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to System folder on Windows 9x systems and System32 folder on WinNT systems.
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Automatic removal Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender Antidumaru-EN.exe
tool does the following:
it detects all the known Win32.Dumaru versions;
it kills the process from memory;
it deletes the files infected with or created by Win32.Dumaru;
it repairs the Windows registry and the .ini files.
You may also need to restore the affected files. Semiautomatic removal
BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following key:
- Reboot the computer;
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Dumaru.
Patrik Vicol BitDefender Virus Researcher
This mass mailer has backdoor abilities (listens on TCP ports 1001, 2283, 10000) and also comes with a keylogger.
Attempts to terminate processes belonging to several security and antivirus programs.
On NTFS partitions, it may overwrite .exe files with copies of the virus.
It spreads using this format:
Use this patch immediately !
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Once run, the virus does the following:
1. Creates the aforementioned files and registry keys/entries.
2. Attempts to terminate processes:
3. On Windows 9x/Me systems, alters win.ini and system.ini in order to run at startup.
4. Harvests e-mail addresses by searching inside:
and attempts to send itself using the e-mail format described above, using it's own SMTP engine and the default SMTP address.
5. Attempts to infect .exe files on NTFS partitions, but due to a bug in the search, it will only infect .exe file on the root of drives.
6. Connects to an IRC server, and joins a channel, listens on ports 1001, 10000 (TCP) for commands from an attacker. Also, port 2283 (TCP) is used as a send through (like a proxy).
7. Captures and logs the clippboard to %WINDOWS%\rundllx.sys
8. Captures and logs keystrokes (but also program name) to %WINDOWS%\vxdload.log
9. Attempts to connect to a ftp server and upload a .eml file that contains passwords and other informations.