Secure Most Provide you most reliable security utilities!
Home Articles File Center Privacy Contact us Links
Now Position: Home>Tech Articles>Free Invasion from Worms
How to Detect and Remove Dumaru.Y or Dumaru.Z Worm Virus?
What is Dumaru.Y and Dumaru.Z Virus?

The Dumaru.Y virus is a mass-mailing worm that emails copies of itself to email addresses found on the infected machine. It uses its own SMTP engine to send these emails and has backdoor capabilities that allow it to gather keystroke and system information.

The Dumaru.Z virus is almost identical to the Dumaru.Y virus, however it has backdoor capabilities. It downloads a component detected as BKDR_IROFFER12.B by Trend Micro.

It runs on Windows 95, 98, ME, NT, 2000 and XP.

The email has the following characteristics:

From: Elene <FU<blocked>ENSUICIDE@hotmail.com>

Subject: Important information for you. Read it immediately !

Message Body:
Hi!
Here is my photo, that you asked for yesterday.

Attachment: myphoto.zip

What Does the Dumaru.Y Worm Do?

  1. Copies itself as the following:

    %System%\l32x.exe
    %System%\vxd32v.exe
    %Startup%\dllxw.exe


    NOTES:

    • %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Startup% is the Windows default startup folder
  2. Adds a value:

    "load32" = "%System%\l32x.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  3. Modifies the windows section of system.ini file

    [boot]
    shell=explorer.exe %System%\vxd32v.exe
  4. On Windows NT machines, it also modifies the following registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    shell = explorer.exe %System%\vxd32v.exe
  5. Retrieves email addresses from files with the following extensions:
    • HTM
    • WAB
    • HTML
    • DBX
    • TBB
    • ABD
  6. Uses its own SMTP engine to email itself.
  7. The program logs keystrokes and gathers information from the infected system. This information is sent to the malcious user through email. It logs the gathered data to the following files:
    • vxdload.log
    • rundllx.sys

    It also gathers clipboard data and protected storage data, as well as user information related to E-gold bank accounts.

  8. It then listens to the following ports for commands coming from the remote host
    • 2283
      This port acts as a TCP proxy that can be used by malicioius users to connect to other hosts.
    • 10000
      This port is used to setup a remote File Transfer Protocol (FTP) server that allows full access to all files on the infected system.

    When a connection to the host is established, it sends an email containing the stolen system information using the infected machine's default SMTP server. It finds the said data from the following registry entry:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\00000000

    The Dumaru.Z variant of this virus has backdoor capabilities. It downloads a component detected as BKDR_IROFFER12.B from the following addresses:

    • http://youand<BLOCKED>edlove.com/load.exe
    • http://gold<BLOCKED> ting.com@%79o%75%61n%64menee%64%6co%76e.com/load.php
How to Remove the Dumaru.Y worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Dumaru.Y or Dumaru.Z during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Dumaru.Y worm:

1) Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode

2) Remove the Registry entries

  • Click on Start, Run, Regedit
  • In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

  • In the right panel, right-click and delete the following entry

"load32" = "%System%\l32x.exe"

  • For Windows XP or NT change the following key as well

    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon
  • In the right panel, locate and change the entry from:
    Shell = explorer.exe %System%\vxd32v.exe
    to
    Shell = explorer.exe
  • Close the Registry Editor

3) Correct entries in the System.ini file

  1. Open the SYSTEM.INI file. click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
  2. Under the [boot] section, locate the line that begins with:
    Shell=Explorer.exe
  3. From the same line, delete the malware path and file name:
    %System%\vxd32v.exe
  4. Close the SYSTEM.INI file and click Yes when prompted to save.

4) Delete the additional entry in the Startup group

From the Startup Group delete the file:

  • dllxw.exe

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

    l32x.exe (in the Windows\System directory)
    vxd32v.exe (in the Windows\System directory)
    winload.log (in the Windows directory)
    vxdload.log
    rundllx.sys
  • Click Find Now or Search Now.
  • Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program. If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

  1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with MyDoom.B, click Delete.
How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

  1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
  2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
  3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  4. Keep your permanent antivirus protection enabled at all times.
Detect and Removal Instruction for Other Variants:
More Detection and Removal Instructions for Worms
Sign up for free up-to-date messages about your PC's security & privacy:
              Email
Confirm email
     Your Name    
 Anti-Keylogger  Password Pecovery
 Anti-Spam  PC Monitoring
 Anti-Spyware  Personal Firewall
 Anti-Virus  System Tools
 Online Privacy    
PQ DVD to iPod Video Suite
PQ DVD to iPod Video Suite (PQ DVD to iPod + iPod Video Converter) is a One-Click, All-In-One solution to convert DVD, Tivo, DivX, MPEG, WMV, AVI, RealMedia and many more to iPod Video ...
Kaspersky Internet Security
Internet Security processes all incoming and outgoing data on your computer, including email, Internet traffic and network interaction, without the need for additional security applications ...
Cucusoft MPEG/AVI to DVD/VCD/SVCD Converter Pro
It enables you to convert and burn any video file directly to VCD, DVD, SVCD, MPEG1 and MPEG2 format. Pro version included all the features of the lite version ...
FREE Spyware Scan! SpyNoMore
SpyNoMore scans, cleans and blocks spyware as well as any other good anti-spyware product, but with one big advantage, Custom Fix (patent pending). Spyware programs are growing more sophisticated by the day ...
Copyright ©2003-2009 SecureMost.com. All other trademarks are the sole property of their respective owners.