Home / malware Win32.Dumaru.Y@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Dumaru.Y@mm is also known as WORM_DUMARU.Y, W32.Dumaru.Y@mm, W32/Dumaru-Y.
Explanation :
The worm comes by mail in the following message:
From: "Elene"
Subject: Important information for you. Read it immediately !
Body:
Hi !
Here is my photo, that you asked for yesterday.
Attachment: MYPHOTO.JPG .EXE
The worm copies itself to Windows System folder with names L32X.EXE and VXD32V.EXE and in the StartUp folder with the name DLLXW.EXE, adds the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunload32 = L32X.EXE
Also it adds to the shell line (in SYSTEM.INI on Windows 95, 98 and Me, or in the registry on Windows NT, 2000 and XP):
Shell = %SYSTEMDIR%vxd32.exe
A keylogger and clipboard monitor is also installed, and the worm listens for commands on port 2283 and opens a FTP server on port 10000.
The mass-mailing component collects e-mail addresses from files with extensions .htm, .wab, .html, .dbx, .tbb, .abd and sends e-mails using its own sending engine.Last update 21 November 2011
