Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Dumaru.Y

Win32/Dumaru.Y is a worm spreading in the form of a file in the attachment of an e-mail. Its size is 17370 bytes and it spreads in a form of purposely damaged ZIP file. It is yet another variant of the worm Win32/Dumaru.A. The worm is compressed using the FSG utility and after decompressing it increases its size to approximately 65 KB. The worm installs a key-logger Trojan. It runs on Microsoft Windows 95 and newer.

The worm arrives in an e-mail with a fake sender address "Elene" <FUCKENSUICIDE@HOTMAIL.COM> with the following subject line: Important information for you. Read it immediately ! . The message body contains the following text:

Hi !
Here is my photo, that you asked for yesterday.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The attachment of the worm message consists of file named myphoto.zip of size 17613 bytes, containing a file named myphoto.jpg[56 spaces].exe of size 17370 bytes. The worm searches for the Start Menu/Programs/StartUp directory in the %system% subdirectory, which name alters according to the language localization of the MS Windows. Into this subdirectory the worm copies a file named dllxw.exe of size 17370 bytes.

The worm also modifies the system.ini file. In the [boot] section of the system.ini file adds the following line:

shell=explorer.exe %system%\vxd32v.exe

The worm does the above mentioned changes on the Windows 95/98 and ME systems only.

The worm also changes the following register key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run where it adds a key named load32 with the value: %system%\l32x.exe to ensure its activation upon restart.

The worm acquires addresses for its spreading from files with the following extensions: html , htm , dbx , wab , tbb and abd .

The worm Win32/Dumaru.Y monitors the key strikes of the user's keyboard and some of the sequences stores in a file named %windows%\vxdload.log . The worm also opens the following ports on the infected computer 10000 and 2283.

The detection of Win32/Dumaru.Y using sample is added since version 1.606.