WORM_DUMARU.AF
Microsoft : Worm:Win32/Dumaru.Y@mm ; Symantec : W32.Dumaru.Y@mm ;
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following files:
- %WINDOWS%\winload.log
It drops the following copies of itself into the affected system:
- %User Startup%\dllxw.exe
- %WINDOWS%\system32\l32x.exe
- %WINDOWS%\system32\vxd32v.exe
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
load32 = %system%\l32x.exe
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe %system%\vxd32v.exe
(Note: The default value data of the said registry entry is Explorer.exe.)
Other System Modifications
This worm creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = {malware path and file name}:*:Enabled:{malware file name