W32/Dumaru-A Type : Win32 executable file virus Description W32/Dumaru-A is a virus that spreads using email and infects other executable using NTFS Alternate Data Stream. The virus arrives in an email message with the following characteristics: Sender: "Microsoft" <security@microsoft.com> Subject line: Use this patch immediately ! Message text: Dear friend, use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! Attached file: patch.exe When the attachment is run W32/Dumaru-A copies itself into the Windows folder as dllreg.exe and into the Windows system folder as load32.exe and vxdmgr32.exe. W32/Dumaru-A drops and runs <Windows>\windrv.exe. Windrv.exe is a backdoor Trojan detected by Sophos Anti-Virus as Troj/Narod-B. The virus creates the registry value load32 of the registry key \HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the virus file <Windows system>\load32.exe is run on Windows startup. W32/Dumaru-A also changes system files system.ini and win.ini. The shell entry of the boot section in System.ini is changed so that it contains the reference to the virus file vxdmgr32 in the Windows systrem folder. The virus creates a run entry in the windows section of win.ini to reference the virus file dllreg.exe in the Windows folder. W32/Dumaru-A has its own SMTP engine and attempts to collect email addresses by searching the content of files with the extensions WAB, HTM, HTML, DBX, ABD and TBB. On systems with NTFS the virus attempts to infect all PE executable files by replacing the original file with a copy of itself and saving the original file in an alternate data stream STR. Read more: http://www.sophos.com/virusinfo/analyses/w32dumarua.html
Symantec removal tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru@mm.removal.tool.html Hopefully you won't need it, but in case you do, you'll have to copy and paste the link into your address bar. Pieter
That little nasty tried to trick me today but my AV warned me as mail came into my inbox that an email contained a virus in it ... I clicked Quarantine it and it was done ... no guessing!! Now that I like. This worm is history and had no chance of infecting my computer ... luv it!!