W32/Dumaru-A

Discussion in 'malware problems & news' started by FanJ, Aug 19, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    W32/Dumaru-A

    Type :
    Win32 executable file virus

    Description
    W32/Dumaru-A is a virus that spreads using email and infects other executable using NTFS Alternate Data Stream.

    The virus arrives in an email message with the following characteristics:
    Sender: "Microsoft" <security@microsoft.com>
    Subject line: Use this patch immediately !
    Message text: Dear friend, use this Internet Explorer patch now!
    There are dangerous virus in the Internet now!
    More than 500.000 already infected!
    Attached file: patch.exe

    When the attachment is run W32/Dumaru-A copies itself into the Windows folder as dllreg.exe and into the Windows system folder as load32.exe and vxdmgr32.exe.

    W32/Dumaru-A drops and runs <Windows>\windrv.exe. Windrv.exe is a backdoor Trojan detected by Sophos Anti-Virus as Troj/Narod-B.

    The virus creates the registry value load32 of the registry key

    \HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the virus file <Windows system>\load32.exe is run on Windows startup.

    W32/Dumaru-A also changes system files system.ini and win.ini. The shell entry of the boot section in System.ini is changed so that it contains the reference to the virus file vxdmgr32 in the Windows systrem folder.

    The virus creates a run entry in the windows section of win.ini to reference the virus file dllreg.exe in the Windows folder.

    W32/Dumaru-A has its own SMTP engine and attempts to collect email addresses by searching the content of files with the extensions WAB, HTM, HTML, DBX, ABD and TBB.

    On systems with NTFS the virus attempts to infect all PE executable files by replacing the original file with a copy of itself and saving the original file in an alternate data stream STR.

    Read more:
    http://www.sophos.com/virusinfo/analyses/w32dumarua.html
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Symantec removal tool:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru@mm.removal.tool.html

    Hopefully you won't need it, but in case you do, you'll have to copy and paste the link into your address bar.

    Pieter
     
  3. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    That little nasty tried to trick me today but my AV warned me as mail came into my inbox that an email contained a virus in it ... I clicked Quarantine it and it was done ... no guessing!! Now that I like. :cool: This worm is history and had no chance of infecting my computer ... luv it!!
     
Thread Status:
Not open for further replies.