(WORM_DUMARU.Y, W32.Dumaru.Y@mm, W32/Dumaru-Y)
Presence of the files L32X.EXE and VXD32V.EXE in the Windows System folder and the file DLLXW.EXE in the StartUp folder.
Let BitDefender delete all files found infected with this worm.
Mihai NEAGU BitDefender Virus Researcher
The worm comes by mail in the following message: From:
Subject: Important information for you. Read it immediately !
Here is my photo, that you asked for yesterday.
Attachment: MYPHOTO.JPG .EXE
The worm copies itself to Windows System folder with names L32X.EXE and VXD32V.EXE and in the StartUp folder with the name DLLXW.EXE, adds the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 = L32X.EXE
Also it adds to the shell line (in SYSTEM.INI on Windows 95, 98 and Me, or in the registry on Windows NT, 2000 and XP):
A keylogger and clipboard monitor is also installed, and the worm listens for commands on port 2283 and opens a FTP server on port 10000.
The mass-mailing component collects e-mail addresses from files with extensions .htm, .wab, .html, .dbx, .tbb, .abd and sends e-mails using its own sending engine.