high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | March 2004 (3.79) |
| Protection available since | 24 January 2004 19:24:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
Delete the files vxdload.log and winload.log in the Windows folder if they exist.
Editing System.ini
At the taskbar, click Start|Run and type Sysedit. Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the files you deleted. Delete only that reference, not any other text.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = l32x.exe
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Close the registry editor and reboot your computer.
More Information
W32/Dumaru-Y is an email worm with backdoor functions. The worm arrives in a message with the following characteristics:
From: "Elene" <FUCKENSUICIDE@HOTMAIL.COM>
Subject line: Important information for you.Read it immediately !
Message text: Hi !
Here is my photo, that you asked for yesterday
Attached file: myphoto.zip
which contains myphoto.jpg<56 SPACES>.exe file.
When executed the worm copies itself to the Windows system folder as l32x.exe and vxd32v.exe and the startup folder as dllxw.exe.
W32/Dumaru-Y monitors running programs and keypresses and logs the information in the file vxdload.log in the Windows folder.
The worm also logs information in the file winload.log in the Windows folder. W32/Dumaru-Y is an email worm with backdoor functions. The worm arrives in a message with the following characteristics:
From: "Elene" <FUCKENSUICIDE@HOTMAIL.COM>
Subject line: Important information for you.Read it immediately !
Message text: Hi !
Here is my photo, that you asked for yesterday
Attached file: myphoto.zip
which contains myphoto.jpg<56 SPACES>.exe file.
When executed the worm copies itself to the Windows system folder as l32x.exe and vxd32v.exe and the startup folder as dllxw.exe.
W32/Dumaru-Y sets the entry in the registry in order to ensure that the worm is run each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = l32x.exe
When executed under Windows NT W32/Dumaru-Y sets the entry in the registry:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell=
"explorer.exe" C:\\Windows\System32\\vxd32.exe
The worm also changes the system.ini file by adding the "C:\WINDOWS\SYSTEM\VXD32V.EXE" to the shell= line.
W32/Dumaru-Y monitors running programs and keypresses and logs the information in the file vxdload.log in the Windows folder.
The worm also logs information in the file winload.log in the Windows folder.
The logs of system activity may be uploaded to a remote FTP server.
W32/Dumaru-Y has its own SMTP engine and attempts to collect email addresses by searching the content of files with the extensions WAB, HTM, HTML, DBX, ABD and TBB.
W32/Dumaru-Y includes a backdoor component which uses port 2283 and an FTP server which uses port 10000.
Once installed W32/Dumaru-Y sends a notification email to the owner.
|
