Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Dumaru.A

Win32/Dumaru.A is a worm spreading as a file in the attachment of an e-mail. The worm has a length of 9324 bytes, and it is compressed by UPX utility. Unpacked it has a length of 45 Kb. It requires operating system Windows 95 or newer for its operation.

Win32/Dumaru.A arrives with the message which looks like coming from security@microsoft.com. The subject of the message is a text Use this patch immediately !. In the body of the message there is following text.

Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents the subdirectory System or System32 in the directory %windir%.

The file containing the body of the worm is located in the message attachment. It is named patch.exe, and its length is 9324 bytes. After it is run it creates its copy named dllreg.exe having length of 9234 bytes and a Trojan horse windrv.exe of 8192 bytes in the directory %windir%. It also creates files load32.exe and vxdmgr32.exe in the directory %system%, both having length of 9234 bytes. In addition to this it creates file winload.log in the directory %windir%.

The worm modifies the files system.ini and win.ini. It adds a line shell=explorer.exe C:\WINDOWS\SYSTEM\vxdmgr32.exe into the section [boot] of system.ini and run=C:\WINDOWS\dllreg.exe into the section [windows] of win.ini. This is the case of Windows 95/98/Me only. It also modifies the system registry creating an item load32 having value of C:\WINDOWS\SYSTEM\load32.exe in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. These modifications assure the activation of the worm Win32/Dumaru.A each time when restarting the operating system.

Win32/Dumaru.A acquires the addresses for its spreading from files having extension html, htm, dbx, wab, tbb and abd.

NOD32 detects Win32/Dumaru.A from the version 1.489.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.