Win32:Dumaru

is an UPX packed virus that spreads using email and also infects other executable using NTFS Alternate Data Stream.

The infected e-mail message has the following characteristics:
Sender: "Microsoft" [security@microsoft.com]
Subject line: Use this patch immediately !
Text: Dear friend, use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attached file: patch.exe

When activated, the virus copies itself into the Windows folder under the name dllreg.exe and into the Windows system folder under the names load32.exe and vxdmgr32.exe. It also drops and executes the file windrv.exe. This program is a backdoor trojan.

The virus creates the registry value load32 in the following registry key:
\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Win32:Dumaru also modifies the system files system.ini and win.ini.

This virus has its own SMTP routine and it collects e-mail addresses by searching the content of files with the folowing extensions: WAB, HTM, HTML, DBX, ABD and TBB.

On systems with NTFS the virus attempts to infect all PE executable files by replacing the original file with a copy of itself and saving the original file in an alternate data stream called STR.

avast! with VPS file dated on or after 19th August 2003 is able to detect this worm.

Viruses
Viruses in the Wild Virus Database History Summary of Virus Reports Eicar Test File
Subscription Services
VPS Subscription Service
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2009 ALWIL Software a.s.
Home page
Viruses  windows viruses  Win32:Dumaru