PC Hell: Dumaru Worm Virus Removal Instructions

How to Remove the Dumaru virus

What is the Dumaru Virus?

W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan called NAROD.A onto the infected machine. It connects to IRC via port 6667 to allow remote users to manipulate infected systems, and also performs a Denial of Service (DoS) attack against other machines using infected systems. The worm gathers email addresses from certain file types and uses its own SMTP mailing engine to email itself. This particular virus should be seen as a virus immediately since Microsoft will not send patches like this via email.

For information on the Dumaru.Y virus click here

The email has the following characteristics:

From: "Microsoft" security@microsoft.com

Subject: Use this patch immediately !

Message:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Attachment: patch.exe

What Does the Dumaru Worm Do?

This virus infects .EXE files using Alternate Data Stream (ADS). It searches the entire system for target executables but is only able to infect files in the root directory. This virus runs on Windows 95, 98, ME, NT, 2000, and XP. However, since only Windows 2000 and XP systems support Alternate Data Stream, it leaves .EXE files infected in other platforms unrecoverable.

Copies itself as the following:

%Windir%\dllreg.exe
%System%\load32.exe
%System%\vxdmgr32.exe

NOTES:
- %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates %Windir%\windrv.exe (8,192 bytes), which is an IRC Trojan. When run, it connects to a predefined IRC server and joins a specific channel to listen for commands from the worm's creator.
Creates %Windir%\winload.log, which is a log file. The worm uses this file to store the stolen email addresses.
Adds a value:

"load32" = "%Windir%\load32.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that the worm runs when you start Windows.
Modifies the windows section of win.ini file (Windows 95/98/Me only):

[windows] run=%Windir%\dllreg.exe
Modifies the boot section of system.ini file (Windows 95/98/Me only):

[boot] shell=explorer.exe %System%\vxdmgr32.exe
Retrieves email addresses from files with the following extensions:

.htm
.wab
.html
.dbx
.tbb
.abd
Uses its own SMTP engine to email itself.

How Can I Remove the Dumaru worm?

Follow these steps in removing the Dumaru worm

1) Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode

2) Remove the Registry entries

Click on Start, Run, Regedit
In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

In the right panel, right-click and delete the following entry

load32 = %System%\load32.exe

For Windows XP or NT remove the following keys as well

In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon
In the right panel, locate and delete the entry:
Shell = explorer.exe %System%\vxdmgr32.exe
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows NT>CurrentVersion>Windows
In the right panel, locate and delete the string:
run = %Windows%\dllreg.exe
Close the Registry Editor

3) Delete the startup entries from the System.ini and Win.ini files (for Windows 95/98/ME)

Open the SYSTEM.INI file. click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
Under the [boot] section, locate the line that begins with:
Shell=Explorer.exe
From the same line, delete the malware path and file name:
%System%\vxdmgr32.exe
Close the SYSTEM.INI file and click Yes when prompted to save.
Open the WIN.INI file using your default text editor. Click Start>Run, type WIN.INI, then press Enter.
Under the [windows] section, locate the line that begins with:
run =
From the same line(s), delete the malware path and file name:
%Windows%\dllreg.exe
Close the WIN.INI file and click Yes when prompted to save.

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:

vxdmgr32.exe (in the Windows\System directory)
dllreg.exe (in the Windows directory)
load32.exe (in the Windows\System directory)
Click Find Now or Search Now.
Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program.

Unfortunately because this virus infects EXE files, some files in the root directory maybe unrecoverable and programs would have to be reloaded from original installation disks.

Update: There is now a Dumaru.B version with slightly different characteristics.

For Automatic Removal of Dumaru.A, download the Symantec removal tool