How to Remove the Dumaru.Y and Dumaru.Z virus

What is the Dumaru.Y Virus?
The Dumaru.Y virus is a mass-mailing worm that emails copies of itself to email addresses found on the infected machine. It uses its own SMTP engine to send these emails and has backdoor capabilities that allow it to gather keystroke and system information.

The Dumaru.Z virus is almost identical to the Dumaru.Y virus, however it has backdoor capabilities. It downloads a component detected as BKDR_IROFFER12.B by Trend Micro

It runs on Windows 95, 98, ME, NT, 2000 and XP.


The email has the following characteristics:

From: Elene <FU<blocked>ENSUICIDE@hotmail.com>

Subject: Important information for you. Read it immediately !

Message Body:
Hi!
Here is my photo, that you asked for yesterday.

Attachment: myphoto.zip


What Does the Dumaru.Y Worm Do?

  1. Copies itself as the following:

    %System%\l32x.exe
    %System%\vxd32v.exe
    %Startup%\dllxw.exe


    NOTES:

    • %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Startup% is the Windows default startup folder
  2. Adds a value:

    "load32" = ”%System%\l32x.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  3. Modifies the windows section of system.ini file

    [boot]
    shell=explorer.exe %System%\vxd32v.exe
  4. On Windows NT machines, it also modifies the following registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


    shell = explorer.exe %System%\vxd32v.exe
  5. Retrieves email addresses from files with the following extensions:
    • HTM
    • WAB
    • HTML
    • DBX
    • TBB
    • ABD
  6. Uses its own SMTP engine to email itself.
  7. The program logs keystrokes and gathers information from the infected system. This information is sent to the malcious user through email. It logs the gathered data to the following files:
    • vxdload.log
    • rundllx.sys

    It also gathers clipboard data and protected storage data, as well as user information related to E-gold bank accounts.

  8. It then listens to the following ports for commands coming from the remote host
    • 2283
      This port acts as a TCP proxy that can be used by malicioius users to connect to other hosts.
    • 10000
      This port is used to setup a remote File Transfer Protocol (FTP) server that allows full access to all files on the infected system.

    When a connection to the host is established, it sends an email containing the stolen system information using the infected machine’s default SMTP server. It finds the said data from the following registry entry:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\00000000

    The Dumaru.Z variant of this virus has backdoor capabilities. It downloads a component detected as BKDR_IROFFER12.B from the following addresses:

    • http://youand<BLOCKED>edlove.com/load.exe
    • http://gold<BLOCKED> ting.com@%79o%75%61n%64menee%64%6co%76e.com/load.php

How Can I Remove the Dumaru.Y worm?

Follow these steps in removing the Dumaru.Y worm

1) Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode

2) Remove the Registry entries

  • Click on Start, Run, Regedit
  • In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

  • In the right panel, right-click and delete the following entry

"load32" = ”%System%\l32x.exe"

  • For Windows XP or NT change the following key as well

    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon
  • In the right panel, locate and change the entry from:
    Shell = explorer.exe %System%\vxd32v.exe

    to
    Shell = explorer.exe
  • Close the Registry Editor

3) Correct entries in the System.ini file

  1. Open the SYSTEM.INI file. click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
  2. Under the [boot] section, locate the line that begins with:
    Shell=Explorer.exe
  3. From the same line, delete the malware path and file name:
    %System%\vxd32v.exe
  4. Close the SYSTEM.INI file and click Yes when prompted to save.

4) Delete the additional entry in the Startup group

From the Startup Group delete the file:

  • dllxw.exe

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

    l32x.exe (in the Windows\System directory)
    vxd32v.exe (in the Windows\System directory)
    winload.log (in the Windows directory)

    vxdload.log
    rundllx.sys
  • Click Find Now or Search Now.
  • Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program.

 

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google