W32/Dumaru-AE

Aliases
I-Worm.Dumaru.p

Type
Win32 worm

W32/Dumaru-AE is a stealthing polymorphic worm that spreads via email and the KaZaA peer-to-peer network. The worm also has backdoor functionality and will steal password and system information from the victim's computer.
W32/Dumaru-AE arrives as an email with a file attachment named document.zip. Document.zip contains a file named myphoto.jpg<56 spaces>.exe. When this file is executed a file named nload.exe is dropped to the root folder and is executed.

When the worm is first executed it displays garbage text using Notepad.

W32/Dumaru-AE copies itself to files named 1111a.exe and 1111c.exe in the Windows system folder and 1111b.exe in the startup folder. The following registry entry is created to ensure that the worm is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = 1111a.exe

The worm may also set the following line in the system.ini file:
Shell = explorer.exe <System>\1111c.exe

W32/Dumaru-AE also copies itself into the KaZaA folder with one of the following filenames and one of the following extensions EXE, SCR, PIF or BAT:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

W32/Dumaru-AE runs as a service process, monitors user activity and will periodically email this information to an attacker. The information collected includes keystroke logs, the contents of the clipboard and system details. The information collected from the victims machine is stored in the log files 1111c.log and 1111k.log.

W32/Dumaru-AE harvests email addresses from HTM, WAB, HTML, ASP, TXT, DBX, TBB and ABD files and stores found addresses in the file 1111mail.log.

http://www.sophos.com/virusinfo/analyses/w32dumaruae.html