What is
the Dumaru Virus?
W32.Dumaru@mm is a mass-mailing
worm that drops an IRC Trojan called NAROD.A
onto the infected machine. It connects to
IRC via port 6667 to allow remote users to manipulate infected
systems, and also performs a Denial of Service (DoS) attack
against other machines using infected systems.
The worm
gathers email addresses from certain file types and uses its own SMTP
mailing engine to email itself. This particular virus should be seen as
a virus immediately since Microsoft will not send patches like this via
email.
For information on the Dumaru.Y
virus click here
|
|
The email
has the following characteristics:
From: "Microsoft" security@microsoft.com
Subject:
Use this patch immediately !
Message:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment:
patch.exe
What
Does the Dumaru Worm Do?
This virus
infects .EXE files using Alternate Data Stream (ADS). It searches the
entire system for target executables but is only able to infect files
in the root directory. This virus runs on Windows 95, 98, ME, NT, 2000,
and XP. However, since only Windows 2000 and XP systems support
Alternate Data Stream, it leaves .EXE files infected in other platforms
unrecoverable.
- Copies
itself as the following:
%Windir%\dllreg.exe
%System%\load32.exe
%System%\vxdmgr32.exe
NOTES:
- %Windir%
is a variable. The worm locates the Windows installation folder (by
default, this is C:\Windows or C:\Winnt) and copies itself to that
location.
- %System%
is a variable. The worm locates the System folder and copies itself to
that location. By default, this is C:\Windows\System (Windows
95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
(Windows XP).
- Creates
%Windir%\windrv.exe (8,192 bytes), which is an IRC Trojan. When run, it
connects to a predefined IRC server and joins a specific channel to
listen for commands from the worm's creator.
- Creates
%Windir%\winload.log, which is a log file. The worm uses this file to
store the stolen email addresses.
- Adds a
value:
"load32" = "%Windir%\load32.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
- Modifies
the windows section of win.ini file (Windows 95/98/Me only):
[windows]
run=%Windir%\dllreg.exe
- Modifies
the boot section of system.ini file (Windows 95/98/Me only):
[boot]
shell=explorer.exe %System%\vxdmgr32.exe
- Retrieves
email addresses from files with the following extensions:
.htm
.wab
.html
.dbx
.tbb
.abd
- Uses its
own SMTP engine to email itself.
How
Can I Remove the Dumaru worm?
Follow
these steps in removing the Dumaru worm
1) Start Windows in Safe Mode
by pressing F8 as the computer is booting and choosing Safe Mode
2) Remove
the Registry entries
- Click on
Start, Run, Regedit
- In the
left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current
Version>Run
- In the
right panel, right-click and delete the following entry
load32 = %System%\load32.exe
- For
Windows XP or NT remove the following keys as well
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows
NT>CurrentVersion>Winlogon
- In the
right panel, locate and delete the entry:
Shell = explorer.exe %System%\vxdmgr32.exe
- In the
left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows
NT>CurrentVersion>Windows
- In the
right panel, locate and delete the string:
run = %Windows%\dllreg.exe
- Close
the Registry Editor
3) Delete
the startup entries from the System.ini and Win.ini files (for Windows
95/98/ME)
- Open the
SYSTEM.INI file. click Start>Run, type SYSTEM.INI, then press
Enter. This should open the file in your default text editor (usually
Notepad).
- Under
the [boot] section, locate the line that begins with:
Shell=Explorer.exe
- From the
same line, delete the malware path and file name:
%System%\vxdmgr32.exe
- Close
the SYSTEM.INI file and click Yes when prompted to save.
- Open the
WIN.INI file using your default text editor. Click Start>Run,
type WIN.INI, then press Enter.
- Under
the [windows] section, locate the line that begins with:
run =
- From the
same line(s), delete the malware path and file name:
%Windows%\dllreg.exe
- Close
the WIN.INI file and click Yes when prompted to save.
3) Delete
the infected files (for Windows ME and XP
remember to turn
off System Restore before searching for and
deleting these files to remove infected backed up files as well)
- Click
Start, point to Find or Search, and then click Files or Folders.
- Make
sure that "Look in" is set to (C:\WINDOWS).
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
vxdmgr32.exe (in the Windows\System directory)
dllreg.exe (in the Windows directory)
load32.exe (in the Windows\System directory)
- Click
Find Now or Search Now.
- Delete
the displayed files.
4) Reboot
the computer and run a thorough virus scan using your favorite
antivirus program.
Unfortunately
because this virus infects EXE files, some files in the root directory
maybe unrecoverable and programs would have to be reloaded from
original installation disks.
Update:
There is now a Dumaru.B
version with slightly different characteristics.
For
Automatic Removal of Dumaru.A, download the Symantec
removal tool
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|