Dumaru.Z worm

Dumaru.Z wormW32/Dumaru.z@MM, Win32.Dumaru.Z, I-Worm.Dumaru.l, WORM_DUMARU.ZMass-mailing email worm with a keylogging componentJanuary 25, 2004Dumaru.Z worm is a mass-mailing email worm with a keylogging component. The Dumaru.Z worm arrives via an email with the following characteristics:

From: "Elene" <F*CKENSUICIDE@HOTMAIL.COM>
Subject: Important information for you. Read it immediately !

The email carries an attachment named Myphoto.zip. Encased in the zip is myphoto.jpg <numerous spaces> .exe. The technique of adding spaces before the actual .exe extension could stymie some poorly configured filtering products.

Lovgate.G drops the following files to the Windows system directory:

L32x.exe
Vxd32v.exe

Dumaru.Z also drops Dllxw.exe to the Startup directory and Zip.tmp to the Windows Temp directory.

The following files are created in the Windows directory:

Winload.log
Vxdload.log
Rundllx.sys

On Windows 9x/ME, the system directory (by default) is located at C:\Windows\system. On Windows NT/2000, the Windows system directory is located at C:\WINNT\system32 and on Windows XP at C:\Windows\system32.

Registry keys modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"load32"="%system%\l32x.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The value 'Shell' is changed from "explorer.exe" to "explorer.exe %Windir%\system32\vxd32v.exe"

HKEY_LOCAL_MACHINE\SOFTWARE
adds the value 'SARS'

System.ini is also modified on Win9x/ME as follows:

[boot]
shell=explorer.exe %System%\vxd32v.exe

Dumaru.Z captures data copied to the Windows clipboard, as well as online transactions involving the e-Gold banking site. It then sends this data to the worm's author, via a hard-coded email address.Symantec removal tool