Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Dumaru.Y

Win32/Dumaru.Y is a worm spreading in the form of a file in the attachment of an e-mail. Its size is 17370 bytes and it spreads in a form of purposely damaged ZIP file. It is yet another variant of the worm Win32/Dumaru.A. The worm is compressed using the FSG utility and after decompressing it increases its size to approximately 65 KB. The worm installs a key-logger Trojan. It runs on Microsoft Windows 95 and newer.

The worm arrives in an e-mail with a fake sender address "Elene" <FUCKENSUICIDE@HOTMAIL.COM> with the following subject line: Important information for you. Read it immediately ! . The message body contains the following text:

Hi !
Here is my photo, that you asked for yesterday.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The attachment of the worm message consists of file named myphoto.zip of size 17613 bytes, containing a file named myphoto.jpg[56 spaces].exe of size 17370 bytes. The worm searches for the Start Menu/Programs/StartUp directory in the %system% subdirectory, which name alters according to the language localization of the MS Windows. Into this subdirectory the worm copies a file named dllxw.exe of size 17370 bytes.

The worm also modifies the system.ini file. In the [boot] section of the system.ini file adds the following line:

shell=explorer.exe %system%\vxd32v.exe

The worm does the above mentioned changes on the Windows 95/98 and ME systems only.

The worm also changes the following register key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run where it adds a key named load32 with the value: %system%\l32x.exe to ensure its activation upon restart.

The worm acquires addresses for its spreading from files with the following extensions: html , htm , dbx , wab , tbb and abd .

The worm Win32/Dumaru.Y monitors the key strikes of the user's keyboard and some of the sequences stores in a file named %windows%\vxdload.log . The worm also opens the following ports on the infected computer 10000 and 2283.

The detection of Win32/Dumaru.Y using sample is added since version 1.606.

1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.