Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
I-Worm.Dumaru.c, PWS-Narod, IRC Trojan
Sent by email.
It collects email adresses from files of type: .htm, .wab, .html, .dbx, .tbb and .abd. It uses its own SMTP engine to spread by email. The email has the following structure:
From: "Microsoft" %firstname.lastname@example.org%
Subject: Use this patch immediately !
Body: Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!
When activated, Worm/Dumaru.K copies itself as:
It creates %WinDIR%\Windrive.exe (8,192 Bytes), which is an IRC Trojan. The worm connects to a predefined IRC server, for receiving on a special port its author's instructions.
The worm creates %WinDIR%\Winload.log, for saving the collected addresses.
It makes the following autostart registry entry:
It also changes the following entry:
It changes the [windows] section of win.ini file into:
and the [boot] section, into:
The worm tries to infect all .exe files on drives C: to Z:.
It listens on TCP port 10000 for further instructions:
mkd: "Create a directory on the infected machine"
rmd: "Remove directory on the infected machine"
port: "Change the port to the port specified"
and on TCP port 1001 for:
!exec: "Execute program on the infected machine"
!cdopen: "Open the CD-ROM on the infected machine"
!sndplay: "Play a sound on the infected machine"
It tries to collect all clipboard information into %WinDIR%\Rundllx.sys.
The file %WinDIR%\Guid32.dll is used for entries into %WinDIR%\Vxdload.log.
Then, it looks for .kwm files, saves their contents in %Windir%\Rundlln.sys and sends email format files containing the stolen information to a certain FTP server.
Description inserted by Crony Walker on Tuesday, June 15, 2004