W32/Dumaru.A@mm is packed with an unmodified version of UPX, and its unpacked size is 20480 bytes.
It has its own SMTP engine and drops an IRC component which F-Prot Antivirus detects as a security risk. This is a backdoor program which will connect to an IRC server and await further commands.
W32/Dumaru.A@mm adds entries to the Windows Registry, in:
The virus adds this entry to the registry in order to ensure that it will be run next time Windows starts.
The messages it sends, have the following format:
Subject: Use this patch immediately !
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment name: patch.exe
The worm issues this SMTP command:
So that address might appear in the "Return-Path" field of the message.
It will look for addresses where to send itself from files with extensions in the following list:
It will create a file in:
For its own use.