W32/Dumaru-E

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Renaming the registry editor

• Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
• Rename the copy of Regedit.exe to Regedit.com.
• At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = load32.exe

and delete it if it exists.

Close the registry editor.

Editing Win.ini

At the taskbar, click Start|Run and type Sysedit. Bring Win.ini to the front. In the [windows] section, search for a line beginning with 'Run=' and delete any references to the files you removed. Delete only that reference, not any other text.

Editing System.ini

At the taskbar, click Start|Run and type Sysedit. Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the files you deleted. Delete only that reference, not any other text.

Reboot your computer.

W32/Dumaru-E is an email worm with backdoor functions. The worm arrives in a message with the following characteristics:

From: security@microsoft.com
Subject line: Use this patch immediately !
Message text:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attached file: patch.exe

The worm copies itself to the Windows folder as dllreg.exe, the Windows system folder as load32.exe and vxdmgr.exe and the startup folder as rundllw.exe. The worm also creates the file guid32.dll in the Windows folder. Guid32.dll monitors running programs and keypresses and logs the information in the file vxdload.log in the Windows folder. The worm also logs information in the file winload.log in the Windows folder. The logs of system activity may be uploaded to a remote FTP server.

W32/Dumaru-E creates the following entries in the registry in order to ensure that the worm is run each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\load32 = load32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders\startup = load32.exe

The worm also adds the name of one of the copies of itself to the Run= line of win.ini and the shell= line of system.ini.

W32/Dumaru-E searches for email addresses to send itself to in the files with the extensions HTM, WAB, HTML, DBX, TBB and ABD.

The worm may also terminate processes with the following names:

ZAUINST.EXE
ZAPRO.EXE
ZONEALARM.EXE
ZATUTOR.EXE
MINILOG.EXE
VSMON.EXE
LOCKDOWN.EXE
ANTS.EXE
FAST.EXE
GUARD.EXE
TC.EXE
SPYXX.EXE
PVIEW95.EXE
REGEDIT.EXE
DRWATSON.EXE
SYSEDIT.EXE
NSCHED32.EXE
MOOLIVE.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
SS3EDIT.EXE
UPDATE.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
WGFE95.EXE
POPROXY.EXE
NPROTECT.EXE
VSSTAT.EXE
VSHWIN32.EXE
NDD32.EXE
MCAGENT.EXE
MCUPDATE.EXE
WATCHDOG.EXE
TAUMON.EXE
IAMAPP.EXE
IAMSERV.EXE
LOCKDOWN2000.EXE
SPHINX.EXE
WEBSCANX.EXE
VSECOMR.EXE
PCCIOMON.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
FRW.EXE
BLACKICE.EXE
BLACKD.EXE
WRCTRL.EXE
WRADMIN.EXE
WRCTRL.EXE
PCFWALLICON.EXE
APLICA32.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
CFINET.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
NVARCH16.EXE
MSSMMC32.EXE
PERSFW.EXE
VSMAIN.EXE
LUALL.EXE
LUCOMSERVER.EXE
AVSYNMGR.EXE
DEFWATCH.EXE
RTVSCN95.EXE
VPC42.EXE
VPTRAY.EXE
PAVPROXY.EXE
APVXDWIN.EXE
AGENTSVR.EXE
NETSTAT.EXE
MGUI.EXE
MSCONFIG.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE

W32/Dumaru-E includes a backdoor component which uses port 2283 and an FTP server which uses port 10000.