What is
the Dumaru.Y Virus?
The Dumaru.Y virus is a
mass-mailing worm that emails copies of itself to email addresses found
on the infected machine. It uses its own SMTP engine to send these
emails and has backdoor capabilities that allow it to gather keystroke
and system information.
The
Dumaru.Z virus is almost identical to the Dumaru.Y virus, however it
has backdoor capabilities. It downloads a component detected as
BKDR_IROFFER12.B by Trend
Micro
It
runs on Windows 95, 98, ME, NT, 2000 and XP.
|
|
The email
has the following characteristics:
From: Elene
<FU<blocked>ENSUICIDE@hotmail.com>
Subject:
Important information for you. Read it immediately !
Message
Body:
Hi!
Here is my photo, that you asked for yesterday.
Attachment:
myphoto.zip
What
Does the Dumaru.Y Worm Do?
- Copies
itself as the following:
%System%\l32x.exe
%System%\vxd32v.exe
%Startup%\dllxw.exe
NOTES:
- %System%
is a variable. The worm locates the System folder and copies itself to
that location. By default, this is C:\Windows\System (Windows
95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
(Windows XP).
- %Startup%
is the Windows default startup folder
- Adds a
value:
"load32" = ”%System%\l32x.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
- Modifies
the windows section of system.ini file
[boot]
shell=explorer.exe %System%\vxd32v.exe
- On
Windows NT machines, it also modifies the following registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
shell = explorer.exe %System%\vxd32v.exe
- Retrieves
email addresses from files with the following extensions:
- Uses its
own SMTP engine to email itself.
- The
program logs keystrokes and gathers information from the infected
system. This information is sent to the malcious user through email. It
logs the gathered data to the following files:
It also
gathers clipboard data and protected storage data, as well as user
information related to E-gold bank accounts.
- It then
listens to the following ports for commands coming from the remote host
- 2283
This port acts as a TCP proxy that can be used by malicioius users to
connect to other hosts.
- 10000
This port is used to setup a remote File Transfer Protocol (FTP) server
that allows full access to all files on the infected system.
When a
connection to the host is established, it sends an email containing the
stolen system information using the infected machine’s
default SMTP server. It finds the said data from the following registry
entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Account Manager\Accounts\00000000
The Dumaru.Z variant of this virus has backdoor capabilities. It
downloads a component detected as BKDR_IROFFER12.B from the following
addresses:
- http://youand<BLOCKED>edlove.com/load.exe
- http://gold<BLOCKED>
ting.com@%79o%75%61n%64menee%64%6co%76e.com/load.php
How
Can I Remove the Dumaru.Y worm?
Follow
these steps in removing the Dumaru.Y worm
1) Start Windows in Safe Mode
by pressing F8 as the computer is booting and choosing Safe Mode
2) Remove
the Registry entries
- Click on
Start, Run, Regedit
- In the
left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current
Version>Run
- In the
right panel, right-click and delete the following entry
"load32"
= ”%System%\l32x.exe"
- For
Windows XP or NT change the following key as well
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows
NT>CurrentVersion>Winlogon
- In the
right panel, locate and change the entry from:
Shell = explorer.exe %System%\vxd32v.exe
to
Shell = explorer.exe
- Close
the Registry Editor
3) Correct
entries in the System.ini file
- Open the
SYSTEM.INI file. click Start>Run, type SYSTEM.INI, then press
Enter. This should open the file in your default text editor (usually
Notepad).
- Under
the [boot] section, locate the line that begins with:
Shell=Explorer.exe
- From the
same line, delete the malware path and file name:
%System%\vxd32v.exe
- Close
the SYSTEM.INI file and click Yes when prompted to save.
4) Delete
the additional entry in the Startup group
From the
Startup Group delete the file:
3) Delete
the infected files (for Windows ME and XP
remember to turn
off System Restore before searching for and
deleting these files to remove infected backed up files as well)
- Click
Start, point to Find or Search, and then click Files or Folders.
- Make
sure that "Look in" is set to (C:\WINDOWS).
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
l32x.exe (in the Windows\System directory)
vxd32v.exe (in the Windows\System directory)
winload.log (in the Windows directory)
vxdload.log
rundllx.sys
- Click
Find Now or Search Now.
- Delete
the displayed files.
4) Reboot
the computer and run a thorough virus scan using your favorite
antivirus program.
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|