1. Computing

Dumaru.Y worm

May be financially motivated

By

Updated January 24, 2004
A new variant of the Dumaru worm was discovered on January 24th, 2004. This new variant most closely resembles Dumaru.J or Dumaru.M, depending on the antivirus vendor naming convention. Dubbed Dumaru.Y, this new variant contains specific references to E-Gold, WebMoney, Far Manager, PayPal and eBay, thus it may be that Dumaru.y is specifically attempting to retrieve information pertaining to accounts with these financial institutions.

Dumaru.Y has remote access capabilities and may listen on TCP port 10000. Attackers exploiting the Dumaru.Y infection are able to perform a variety of malicious actions, including keylogging, modifying settings, and introducing further malware to infected systems. The worm also disables various antivirus and firewall processes running on the infected system, leaving the system vulnerable to further threat.

The Dumaru.y worm uses email addresses found in .adb, .dbx, .htm, .html, .tbb, and .wab files on the infected system. Those addresses are then used to send itself to others Dumaru.Y uses its own SMTP engine, thus copies of the sent emails will not be found in the Sent Items folder of the infected user's mail client.

Dumaru.Y arrives in an email as follows:

    From: Elene <F**KENSUICIDE@HOTMAIL.COM> (edited for profanity)
    Subject: Important information for you. Read it immediately !

    Text: Here is my photo, that you asked for yesterday

    Attachment: myphoto.zip

The use of a .zip attachment could allow the Dumaru.Y email to bypass some filtering products and antivirus scanners. The myphoto.zip attachment contains the file "myphoto.jpg .exe" (myphoto.jpg is followed by 56 blank spaces prior to the actual .exe extension). If myphoto.jpg.exe is opened, the Dumaru.Y worm will drop copies of itself to the Windows System directory as follows:

    l32x.exe
    vxd32v.exe

Note: the exact location of the Windows System directory may vary. The defaults for the various affected operating systems are as follows:

    Windows 9x/ME --> C:\Windows\System.
    Windows NT/2000 --> C:\WinNT\System32
    Windows XP --> C:\Windows\System32.

Dumaru.y also drops a copy of itself named dllxw.exe to the Windows Startup folder. That location also varies depending on the operating system and user. For example, on Windows XP, this may be C:\Documents and Settings\Default User\Start Menu\Programs\Startup.

The DUmaru.Y worm modifies the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key in the System registry, adding the following value:

    "load32"="%winsysdir%\l32x.exe"

    (where %winsysdir% is the equivalent of the Windows System directory on that machine)

Additionally, Dumaru.Y modifies the System.ini file on Windows 9x/ME as follows:

    [boot]
    shell=explorer.exe %System%\vxd32v.exe

Manual removal of the Dumaru.Y worm
In the Windows System directory, locate and delete the following files:

    l32x.exe
    vxd32v.exe

In the Windows Startup directory, locate and delete the following file:

    dllxw.exe

Edit the following Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    to remove the value:

    "load32"="%winsysdir%\l32x.exe"

Windows 9x/ME users should also edit the following section in the System.ini:

    [boot]
    shell=explorer.exe %System%\vxd32v.exe

to read simply:

    [boot]
    shell=explorer.exe

After these steps have been performed, reboot the system. You will then need to ensure your antivirus, firewall, and other security software are functioning normally. Panda Antivirus Titanium and ZoneAlarm firewall both include self-diagnostics to minimize the risk of being disabled by malware. To test that your antivirus software is working properly, use the EICAR test file.

The original Dumaru worm arrived in an email claiming to be a security patch from Microsoft.

  1. About.com
  2. Computing
  3. Antivirus Software

©2014 About.com. All rights reserved.