FRISK Software International

Summary of W32/Dumaru.A@mm
Discovered: 19 Aug 2003
Definition files: 19 Aug 2003
Risk Level: Low
Jump to:
Brief description
Technical description

Brief Description

W32/Dumaru.A@mm is a mass-mailer that distributes under the disguise of being a patch distributed by Microsoft.

W32/Dumaru.A@mm is detected by F-Prot Antivirus, using virus signature files dated 19 August 2003 or later.

Technical Description

W32/Dumaru.A@mm is packed with an unmodified version of UPX, and its unpacked size is 20480 bytes.

It has its own SMTP engine and drops an IRC component which F-Prot Antivirus detects as a security risk. This is a backdoor program which will connect to an IRC server and await further commands.

W32/Dumaru.A@mm adds entries to the Windows Registry, in:


The virus adds this entry to the registry in order to ensure that it will be run next time Windows starts.

The messages it sends, have the following format:

From: "Microsoft"

Subject: Use this patch immediately !

Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Attachment name: patch.exe

The worm issues this SMTP command:


So that address might appear in the "Return-Path" field of the message.

It will look for addresses where to send itself from files with extensions in the following list:


It will create a file in:


For its own use.

[Description: Ero Carrera; 19th of August, 2003]

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)