W32/Dumaru.Y@mm

W32/Dumaru.Y@mm	Destructivity: Spreading: Overall risk:

• Detected by virus detection files published: 1/24/2004	• Type: Worm
• Virus characteristics first published: 1/24/2004	• Spreading mechanism: Email
• Virus characteristics latest update: 3/19/2004	• Overall risk: Low
• Alias: W32/Capegold-mm	• Payload: Information gathering
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista

Virus type

Spreading
mechanism

Destructivity
and payload

Additional
descriptions

Detection
and removal

Email characteristics:

Subject: Important information for you. Read it immediately !
Body:
Hi !

Here is my photo, that you asked for yesterday.
Attachment: myphoto.zip

Upon executing, it will copy itself to the Windows System directory under the name l32x.exe, and vxd32v.exe, and to the startup directory under the name dllxw.exe.

It creates the registry key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "load32"="[SYSTEM]l32x.exe".

It will also modify a string in the [boot] section of system.ini: "shell"="explorer.exe [SYSTEM]vxd32v.exe". All these changes are done in order to start the worm from bootup.

The worm looks for email addresses in the follwing types of files:
*.htm *.wab *.html *.dbx *.tbb *.abd

It will now proceed to send itself to these addresses.

# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

VIRUSfighter

Microsoft Certified Partner

W32/Dumaru.Y@mm

Hi !