Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Dumaru.L

Win32/Dumaru.L is a worm spreading as a file in the attachment of an e-mail. The worm has a length of 34818 bytes, and it is compressed by UPX utility. It represents a newer version of the Win32/Dumaru.A worm. Unpacked it has a length of 77Kb. It is installing a Trojan horse into the system. It requires the operating system Windows 95 or newer for its operation.

Win32/Dumaru.A arrives with the message which looks like coming from security@microsoft.com. The subject of the message is a text Use this patch immediately !. In the body of the message there is following text.

Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents the subdirectory System or System32 in the directory %windir%.

The file containing the body of the worm is located in the message attachment. It is named patch.exe, and its length is 34818 bytes. After it is run it creates its copy named dllreg.exe having length of 34818 bytes and a Trojan horse guid32.dll of 4096 bytes in the directory %windir%. It also creates filesload32.exe and vxdmgr32.exe in the directory %system%, both having length of 34818 bytes. In addition to this it creates file winload.lo and vxdload.lo in the directory %windir%.

The worm modifies the files system.ini and win.ini. It adds a line shell=explorer.exe C:\WINDOWS\SYSTEM\vxdmgr32.exe into the section [boot] of system.ini and run=C:\WINDOWS\dllreg.exe into the section [windows] of win.ini. This is the case of Windows 95/98/Me only. It also modifies the system registry creating an item load32 having value of C:\%system%\load32.exe in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. These modifications assure the activation of the worm Win32/Dumaru.L each time when restarting the operating system.

Win32/Dumaru.L creates an item kwmfound having value of dword:00000000 in the key of the system registry KEY_LOCAL_MACHINE\Software\AAAA.

Win32/Dumaru.L acquires the addresses for its spreading from files having extension html, htm, dbx, wab, tbb and abd.

NOD32 detects Win32/Dumaru.L from the version 1.525. NOD32 v.2 detects this virus using extended heuristics without updating.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.