Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software

Dumaru.Z worm

By Mary Landesman, About.com

See More About:

Name: Dumaru.Z worm
Also known as: W32/Dumaru.z@MM, Win32.Dumaru.Z, I-Worm.Dumaru.l, WORM_DUMARU.Z
Type: Mass-mailing email worm with a keylogging component
Discovered: January 25, 2004
Description: Dumaru.Z worm is a mass-mailing email worm with a keylogging component. The Dumaru.Z worm arrives via an email with the following characteristics:

From: "Elene" <F*CKENSUICIDE@HOTMAIL.COM>
Subject: Important information for you. Read it immediately !

The email carries an attachment named Myphoto.zip. Encased in the zip is myphoto.jpg <numerous spaces> .exe. The technique of adding spaces before the actual .exe extension could stymie some poorly configured filtering products.

Local system impact: Lovgate.G drops the following files to the Windows system directory:
    L32x.exe
    Vxd32v.exe

Dumaru.Z also drops Dllxw.exe to the Startup directory and Zip.tmp to the Windows Temp directory.

The following files are created in the Windows directory:

    Winload.log
    Vxdload.log
    Rundllx.sys

On Windows 9x/ME, the system directory (by default) is located at C:\Windows\system. On Windows NT/2000, the Windows system directory is located at C:\WINNT\system32 and on Windows XP at C:\Windows\system32.

Registry keys modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"load32"="%system%\l32x.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The value 'Shell' is changed from "explorer.exe" to "explorer.exe %Windir%\system32\vxd32v.exe"

HKEY_LOCAL_MACHINE\SOFTWARE
adds the value 'SARS'

System.ini is also modified on Win9x/ME as follows:

    [boot]
    shell=explorer.exe %System%\vxd32v.exe
Keylogging component: Dumaru.Z captures data copied to the Windows clipboard, as well as online transactions involving the e-Gold banking site. It then sends this data to the worm's author, via a hard-coded email address.
Free removal tools: Symantec removal tool

Explore Antivirus Software

About.com Special Features

Build Your Own Website

Step-by-step advice on how to do everything from choosing a Web host to promoting your content. More >

Connect Your Home Computers

Easy ways to connect two computers for networking purposes. More >

Browse All About.com

Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.