Win32.Dumaru.Y@mm( WORM_DUMARU.Y, W32.Dumaru.Y@mm, W32/Dumaru-Y )
SYMPTOMS: Presence of the files L32X.EXE and VXD32V.EXE in the Windows System folder and the file DLLXW.EXE in the StartUp folder.TECHNICAL DESCRIPTION: The worm comes by mail in the following message:From: "Elene" Subject: Important information for you. Read it immediately ! Body: Hi ! Here is my photo, that you asked for yesterday. Attachment: MYPHOTO.JPG The worm copies itself to Windows System folder with names L32X.EXE and VXD32V.EXE and in the StartUp folder with the name DLLXW.EXE, adds the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 = L32X.EXE Also it adds to the shell line (in SYSTEM.INI on Windows 95, 98 and Me, or in the registry on Windows NT, 2000 and XP): Shell = A keylogger and clipboard monitor is also installed, and the worm listens for commands on port 2283 and opens a FTP server on port 10000. The mass-mailing component collects e-mail addresses from files with extensions .htm, .wab, .html, .dbx, .tbb, .abd and sends e-mails using its own sending engine. Removal instructions: Let BitDefender delete all files found infected with this worm.ANALYZED BY: Mihai NEAGU BitDefender Virus Researcher |