My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Dumaru.Y@mm

LOW
LOW
17370 bytes
(WORM_DUMARU.Y, W32.Dumaru.Y@mm, W32/Dumaru-Y)

Symptoms

Presence of the files L32X.EXE and VXD32V.EXE in the Windows System folder and the file DLLXW.EXE in the StartUp folder.

Removal instructions:

Let BitDefender delete all files found infected with this worm.

Analyzed By

Mihai NEAGU BitDefender Virus Researcher

Technical Description:

The worm comes by mail in the following message:

From: "Elene"
Subject: Important information for you. Read it immediately !
Body:
Hi !

Here is my photo, that you asked for yesterday.

Attachment: MYPHOTO.JPG .EXE

The worm copies itself to Windows System folder with names L32X.EXE and VXD32V.EXE and in the StartUp folder with the name DLLXW.EXE, adds the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 = L32X.EXE

Also it adds to the shell line (in SYSTEM.INI on Windows 95, 98 and Me, or in the registry on Windows NT, 2000 and XP):

Shell = %SYSTEMDIR%\vxd32.exe

A keylogger and clipboard monitor is also installed, and the worm listens for commands on port 2283 and opens a FTP server on port 10000.

The mass-mailing component collects e-mail addresses from files with extensions .htm, .wab, .html, .dbx, .tbb, .abd and sends e-mails using its own sending engine.