high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 26 January 2004 17:14:07 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = l32x.exe
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Close the registry editor.
More Information
W32/Dumaru-K is an email worm, a password stealing Trojan and a downloader for an IRC backdoor Trojan.
W32/Dumaru-K arrives in an email with the following characteristics:
Subject line: Important information for you. Read it immediately !
Message text: Here is my photo, that you asked for yesterday.
Attached file: myphoto.zip
The email addresses that this email is mass-mailed to are harvested from files with the following extensions and then saved to the file winload.log in the Windows folder:
htm
html
wab
dbx
tbb
abd
When W32/Dumaru-K is run the following copies will be created:
<startup>\dllxw.exe
<system>\l32x.exe
<system>\vxd32v.exe
<temp>\zip.tmp
W32/Dumaru-K downloads a Trojan dropper, detected by Sophos Anti-Virus as Troj/Small-AW, to the Windows folder with the filename nvidia32.exe. This Trojan is then executed which drops and runs the DLL file rwtrisfg32.dll. The Trojan is an IRC backdoor Trojan detected by Sophos Anti-Virus as Troj/Mahru-A.
Please see the descriptions of Troj/Small-AW and Troj/Mahru-A for more details.
W32/Dumaru-K will periodically send an email to an attacker containing information about the victim's computer. W32/Dumaru-K is an email worm, a password stealing Trojan and a downloader for an IRC backdoor Trojan.
W32/Dumaru-K arrives in an email with the following characteristics:
Subject line: Important information for you. Read it immediately !
Message text: Here is my photo, that you asked for yesterday.
Attached file: myphoto.zip
The email addresses that this email is mass-mailed to are harvested from files with the following extensions and then saved to the file winload.log in the Windows folder:
htm
html
wab
dbx
tbb
abd
When W32/Dumaru-K is run the following copies will be created:
<startup>\dllxw.exe
<system>\l32x.exe
<system>\vxd32v.exe
<temp>\zip.tmp
The following registry entries are created with references to these copies of the worm:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = l32x.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
= explorer C:\<system>\vxd32v.exe
W32/Dumaru-K downloads a Trojan dropper, detected by Sophos Anti-Virus as Troj/Small-AW, to the Windows folder with the filename nvidia32.exe. This Trojan is then executed which drops and runs the DLL file rwtrisfg32.dll. The Trojan is an IRC backdoor Trojan detected by Sophos Anti-Virus as Troj/Mahru-A.
Please see the descriptions of Troj/Small-AW and Troj/Mahru-A for more details.
W32/Dumaru-K will periodically send an email to an attacker containing information about the victim's computer.
|
