W32/Dumaru.A@mm

Download VIRUSfighter NOW
W32/Dumaru.A@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 9/17/2003 • Type: Worm
• Virus characteristics first published: 9/17/2003 • Spreading mechanism: Email
• Virus characteristics latest update: 3/29/2004 • Overall risk: Medium
• Alias: • Payload: Installs a keylogger
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
Email characteristics:
  • Subject: Use this patch immediately !
  • Body: Dear friend , use this Internet Explorer patch now!
    There are dangerous virus in the Internet now!
    More than 500.000 already infected!

  • Attachment: patch.exe
When the worm is first run, it copies itself to the following locations:

[WINDIR]\dllreg.exe
[SYSTEMDIR]\load32.exe
[SYSTEMDIR]\vxdmgr32.exe

The follwing registry key is created:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "load32"="[SYSTEMDIR]\load32.exe"

The following entry in [boot] section of SYSTEM.INI is created:
"shell"="explorer.exe [SYSTEMDIR]\vxdmgr32.exe"

The following entry in [windows] section of WIN.INI is created:
"run"="[WINDIR]\dllreg.exe"

In addition, it installs a backdoor in the location [WINDIR]\windrv.exe.

The worm scans files of types .htm .wab .html .dbx .tbb .abd for email addresses to send itself to.

The worm also attempts to connect to IRC servers and joins a channel there.
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter