How to Remove the Dumaru virus

What is the Dumaru Virus?
W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan called NAROD.A onto the infected machine. It connects to IRC via port 6667 to allow remote users to manipulate infected systems,  and also performs a Denial of Service (DoS) attack against other machines using infected systems. The worm gathers email addresses from certain file types and uses its own SMTP mailing engine to email itself. This particular virus should be seen as a virus immediately since Microsoft will not send patches like this via email.

For information on the Dumaru.Y virus click here


The email has the following characteristics:

From: "Microsoft" security@microsoft.com

Subject: Use this patch immediately !

Message:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Attachment: patch.exe


What Does the Dumaru Worm Do?

This virus infects .EXE files using Alternate Data Stream (ADS). It searches the entire system for target executables but is only able to infect files in the root directory. This virus runs on Windows 95, 98, ME, NT, 2000, and XP. However, since only Windows 2000 and XP systems support Alternate Data Stream, it leaves .EXE files infected in other platforms unrecoverable.

  1. Copies itself as the following:

    %Windir%\dllreg.exe
    %System%\load32.exe
    %System%\vxdmgr32.exe

    NOTES:
    • %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    • %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  2. Creates %Windir%\windrv.exe (8,192 bytes), which is an IRC Trojan. When run, it connects to a predefined IRC server and joins a specific channel to listen for commands from the worm's creator.
  3. Creates %Windir%\winload.log, which is a log file. The worm uses this file to store the stolen email addresses.
  4. Adds a value:

    "load32" = "%Windir%\load32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  5. Modifies the windows section of win.ini file (Windows 95/98/Me only):

    [windows]
    run=%Windir%\dllreg.exe


  6. Modifies the boot section of system.ini file (Windows 95/98/Me only):

    [boot]
    shell=explorer.exe %System%\vxdmgr32.exe


  7. Retrieves email addresses from files with the following extensions:

    .htm
    .wab
    .html
    .dbx
    .tbb
    .abd

  8. Uses its own SMTP engine to email itself.

How Can I Remove the Dumaru worm?

Follow these steps in removing the Dumaru worm

1) Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode

2) Remove the Registry entries

  • Click on Start, Run, Regedit
  • In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

  • In the right panel, right-click and delete the following entry

load32 = %System%\load32.exe

  • For Windows XP or NT remove the following keys as well

    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon
  • In the right panel, locate and delete the entry:
    Shell = explorer.exe %System%\vxdmgr32.exe
  • In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows NT>CurrentVersion>Windows
  • In the right panel, locate and delete the string:
    run = %Windows%\dllreg.exe
  • Close the Registry Editor

3) Delete the startup entries from the System.ini and Win.ini files (for Windows 95/98/ME)

  1. Open the SYSTEM.INI file. click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
  2. Under the [boot] section, locate the line that begins with:
    Shell=Explorer.exe
  3. From the same line, delete the malware path and file name:
    %System%\vxdmgr32.exe
  4. Close the SYSTEM.INI file and click Yes when prompted to save.
  5. Open the WIN.INI file using your default text editor. Click Start>Run, type WIN.INI, then press Enter.
  6. Under the [windows] section, locate the line that begins with:
    run =
  7. From the same line(s), delete the malware path and file name:
    %Windows%\dllreg.exe
  8. Close the WIN.INI file and click Yes when prompted to save.

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

    vxdmgr32.exe (in the Windows\System directory)
    dllreg.exe (in the Windows directory)
    load32.exe (in the Windows\System directory)

  • Click Find Now or Search Now.
  • Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program.

Unfortunately because this virus infects EXE files, some files in the root directory maybe unrecoverable and programs would have to be reloaded from original installation disks.

Update: There is now a Dumaru.B version with slightly different characteristics.

For Automatic Removal of Dumaru.A, download the Symantec removal tool

 

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google