¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:W32/Dumaru.y@mm, WORM_DUMARU.Y
Type:Worm 
Size:17 kbytes 
Origin:unknown 
Date:01-25-2004 
Damage:Spreads itself by email, backdoor routine 
VDF Version:6.23.00.33 
Danger:Low 
Distribution:Medium 

General DescriptionThis new version of the worm Dumaru contains both an email and a backdoor coded routine. When the worm is activated, the programmer receives an info. Worm/Dumaru.Y installs itself in the system and looks in all files with extensions like .WAB, .HTM, .HTML, .DBX, .ABD and .TBB for email addresses to send itself to. The backdoor component uses port 2283.

Symptoms* increased email traffic

Distribution* sends itself by email

Technical DetailsWorm/Dumaru.Y is a mass-mailer that carries a backdoor key logger. It uses its own SMTP engine for email spreading, with the following characteristics:

From:
"Elene" <F***KENSUICIDE@HOTMAIL.COM>

Subject:
Important information for you. Read it immediately !

Message:
Hi !
Here is my photo, that you asked for yesterday

Attachment:
myphoto.zip

The attachment is a ZIP archive which contains a file named "myphoto.jpg.exe". Between extensions "jpg" and ".exe" there are 56 blanks.

When the attachment is activated, Worm/Dumaru.Y copies itself in:
* \%WinDIR%\%SystemDIR%\l32x.exe
* \%WinDIR%\%SystemDIR%\vxd32v.exe
* \%StartUp%\dllxw.exe

and creates the following registry entry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"load32"="\%WinDIR%\%SystemDIR%\l32x.exe"

It changes the following registry entry from:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"explorer.exe"

into the following:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"explorer.exe \%WinDIR%\%SystemDIR%\vxd32v.exe"

If the infected system uses Windows 95/98/ME, the worm changes the line

shell=explorer.exe

from SYSTEM.INI into

shell=explorer.exe \%WinDIR%\%SystemDIR%\vxd32v.exe

The worm gathers all email addresses it finds on local workstation in the files like:
* .HTM
* .HTML
* .DBX
* .WAB
* .TBB
* .ABD
and saves them in the file \%WinDIR%\winload.log

The worm makes a ZIP archive in \%WinDIR%\Temp\zip.tmp containing the malware and sends it to all email addresses it found.

Worm/Dumaru.Y monitors all active processes and saves all keyboard activity performed in \%WinDIR%\vxdload.log. This file can be sent to a FTP Server using port 10000 by the backdoor component.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:
* \%WinDIR%\%SystemDIR%\l32x.exe
* \%WinDIR%\%SystemDIR%\vxd32v.exe
* \%WinDIR%\Temp\zip.tmp
* \%WinDIR%\winload.log
* \%WinDIR%\vxdload.log.
* \%StartUp%\dllxw.exe

Start "regedit" after that and delete the following registry entries:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"load32"="\%WinDIR%\%SystemDIR%\l32x.exe"

Change the existing entry

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"explorer.exe \%WinDIR%\%SystemDIR%\vxd32v.exe"

into:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"explorer.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* \%WinDIR%\%SystemDIR%\l32x.exe
* \%WinDIR%\%SystemDIR%\vxd32v.exe
* \%WinDIR%\Temp\zip.tmp
* \%WinDIR%\winload.log
* \%WinDIR%\vxdload.log.
* \%StartUp%\dllxw.exe

Start "regedit" after that and delete the following registry entries:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"load32"="\%WinDIR%\%SystemDIR%\l32x.exe"

Change the existing entry in SYSTEM.INI

shell=explorer.exe \%WinDIR%\%SystemDIR%\vxd32v.exe

into:

shell=explorer.exe

Restart your computer.
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.