Presence of the files
where %WINDOWS% points to Windows folder (Win9x/Me) or Winnt folder (Win2K/XP).
Presence of the value
in the registry key
where %SYSTEM% points to System folder (Win9x/Me) or System32 folder (Win2K/XP).
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known Win32.Dumaru@mm versions;
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender Antidumaru-EN.exe tool does the following:
it kills the process from memory;
it deletes the files infected with Win32.Dumaru@mm;
it deletes the backdoor component;
it repairs the Windows registry.
You may also need to restore the affected files.
Patrik Vicol BitDefender Virus Researcher
The virus arrives as a fake email from Microsoft: From: "Microsoft" email@example.com Subject: Use this patch immediately ! Body: Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected! Attachment: patch.exe
When executed, the virus will do the following:
- Copy itself as:
- Drops and executes a backdoor component
%WINDOWS%\windrv.exe (8192 bytes)
which connects to a IRC server and joins a password protected channel, sends a login notice and waits for the author to issue commands.
- Creates the value
in the registry key
- On Windows 9x/Me systems, it does the following:
- uses RegisterServiceProcess to hide its presence;
- modifies system.ini by adding the entry in the [Boot] section:
- modifies win.ini by adding the following entry in the [Windows] section:
- Harvests e-mail addresses from files matching
and stores them in %WINDOWS%\winload.log file.
- It uses it's own SMTP engine and sends itself to the e-mails harvested in winload.log file (see above for the infected e-mail format).
- It searches for *.exe files belonging to several antivirus/security products and attempts to overwrite them with copies of the virus.