Win32.Dumaru.Y@mm
LOW
LOW
17370 bytes
(WORM_DUMARU.Y, W32.Dumaru.Y@mm, W32/Dumaru-Y)
Symptoms
Presence of the files L32X.EXE and VXD32V.EXE in the Windows System folder and the file DLLXW.EXE in the StartUp folder.
Removal instructions:
Let BitDefender delete all files found infected with this worm.
Analyzed By
Mihai NEAGU BitDefender Virus Researcher
Technical Description:
The worm comes by mail in the following message:
From: "Elene"
Subject: Important information for you. Read it immediately !
Body:
Hi !
Here is my photo, that you asked for yesterday.
Attachment: MYPHOTO.JPG .EXE
The worm copies itself to Windows System folder with names L32X.EXE and VXD32V.EXE and in the StartUp folder with the name DLLXW.EXE, adds the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 = L32X.EXE
Also it adds to the shell line (in SYSTEM.INI on Windows 95, 98 and Me, or in the registry on Windows NT, 2000 and XP):
Shell =
%SYSTEMDIR%\vxd32.exe
A keylogger and clipboard monitor is also installed, and the worm listens for commands on port 2283 and opens a FTP server on port 10000.
The mass-mailing component collects e-mail addresses from files with extensions .htm, .wab, .html, .dbx, .tbb, .abd and sends e-mails using its own sending engine.
SHARE
THIS ON