FRISK Software International

Virus Info > Virus Threats > Dumaru.A@mm


Summary of W32/Dumaru.A@mm
Alias:Dumaru
Discovered: 19 Aug 2003
Definition files: 19 Aug 2003
Risk Level: Low
Distribution:Low
 
Jump to:
Brief description
Technical description

Brief Description

W32/Dumaru.A@mm is a mass-mailer that distributes under the disguise of being a patch distributed by Microsoft.

W32/Dumaru.A@mm is detected by F-Prot Antivirus, using virus signature files dated 19 August 2003 or later.



Technical Description

W32/Dumaru.A@mm is packed with an unmodified version of UPX, and its unpacked size is 20480 bytes.

It has its own SMTP engine and drops an IRC component which F-Prot Antivirus detects as a security risk. This is a backdoor program which will connect to an IRC server and await further commands.

W32/Dumaru.A@mm adds entries to the Windows Registry, in:

[Software\Microsoft\Windows\CurrentVersion\Run]

The virus adds this entry to the registry in order to ensure that it will be run next time Windows starts.

The messages it sends, have the following format:

From: "Microsoft"

Subject: Use this patch immediately !

Body:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Attachment name: patch.exe

The worm issues this SMTP command: 

 MAIL FROM:

So that address might appear in the "Return-Path" field of the message.

It will look for addresses where to send itself from files with extensions in the following list: 

 .htm
 .wab
 .html
 .dbx
 .tbb
 .abd

It will create a file in: 

 %systemdir%\winload.log

For its own use.



[Description: Ero Carrera; 19th of August, 2003]
 
Virus Info by Platform

Virus Info by Letter:

F-PROT Antivirus Alerts
Stay up to date with important developments via e-mail.
more...
Life cyle policy
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
more...
RSS News Feeds
Virus news and information directly to your desktop.
more...
Glossary of Terms
Definitions of common antivirus terminology.
more...
More Virus Info
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net