PC Hell: Dumaru.Y and Dumaru.Z Virus Removal Instructions

How to Remove the Dumaru.Y and Dumaru.Z virus

What is the Dumaru.Y Virus?

The Dumaru.Y virus is a mass-mailing worm that emails copies of itself to email addresses found on the infected machine. It uses its own SMTP engine to send these emails and has backdoor capabilities that allow it to gather keystroke and system information.

The Dumaru.Z virus is almost identical to the Dumaru.Y virus, however it has backdoor capabilities. It downloads a component detected as BKDR_IROFFER12.B by Trend Micro

It runs on Windows 95, 98, ME, NT, 2000 and XP.

The email has the following characteristics:

From: Elene <FU<blocked>ENSUICIDE@hotmail.com>

Subject: Important information for you. Read it immediately !

Message Body:
Hi!
Here is my photo, that you asked for yesterday.

Attachment: myphoto.zip

What Does the Dumaru.Y Worm Do?

Copies itself as the following:

%System%\l32x.exe
%System%\vxd32v.exe
%Startup%\dllxw.exe

NOTES:
- %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Startup% is the Windows default startup folder
Adds a value:

"load32" = ”%System%\l32x.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that the worm runs when you start Windows.
Modifies the windows section of system.ini file

[boot]
shell=explorer.exe %System%\vxd32v.exe
On Windows NT machines, it also modifies the following registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

shell = explorer.exe %System%\vxd32v.exe
Retrieves email addresses from files with the following extensions:
- HTM
- WAB
- HTML
- DBX
- TBB
- ABD
Uses its own SMTP engine to email itself.
The program logs keystrokes and gathers information from the infected system. This information is sent to the malcious user through email. It logs the gathered data to the following files:
- vxdload.log
- rundllx.sys
It also gathers clipboard data and protected storage data, as well as user information related to E-gold bank accounts.
It then listens to the following ports for commands coming from the remote host
- 2283
  This port acts as a TCP proxy that can be used by malicioius users to connect to other hosts.
- 10000
  This port is used to setup a remote File Transfer Protocol (FTP) server that allows full access to all files on the infected system.
When a connection to the host is established, it sends an email containing the stolen system information using the infected machine’s default SMTP server. It finds the said data from the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\00000000

The Dumaru.Z variant of this virus has backdoor capabilities. It downloads a component detected as BKDR_IROFFER12.B from the following addresses:
- http://youand<BLOCKED>edlove.com/load.exe
- http://gold<BLOCKED> ting.com@%79o%75%61n%64menee%64%6co%76e.com/load.php

How Can I Remove the Dumaru.Y worm?

Follow these steps in removing the Dumaru.Y worm

1) Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode

2) Remove the Registry entries

Click on Start, Run, Regedit
In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

In the right panel, right-click and delete the following entry

"load32" = ”%System%\l32x.exe"

For Windows XP or NT change the following key as well

In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon
In the right panel, locate and change the entry from:
Shell = explorer.exe %System%\vxd32v.exe
to
Shell = explorer.exe
Close the Registry Editor

3) Correct entries in the System.ini file

Open the SYSTEM.INI file. click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
Under the [boot] section, locate the line that begins with:
Shell=Explorer.exe
From the same line, delete the malware path and file name:
%System%\vxd32v.exe
Close the SYSTEM.INI file and click Yes when prompted to save.

4) Delete the additional entry in the Startup group

From the Startup Group delete the file:

dllxw.exe

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:

l32x.exe (in the Windows\System directory)
vxd32v.exe (in the Windows\System directory)
winload.log (in the Windows directory)
vxdload.log
rundllx.sys
Click Find Now or Search Now.
Delete the displayed files.